Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Code signing certificate
New on LowEndTalk? Please Register and read our Community Rules.

Code signing certificate

hzrhzr Member
in Requests

Looking for a standard one, anyone know if available under ~$70/yr? I already know the usual down to 67.50/yr, hoping for 50.

Comments

  • sdglhmsdglhm Member

    From what I could find ~6 months ago, $70 was the cheapest. It was a comodo one.

  • williewillie Member

    On gogetssl.com reseller I see Comodo $75.00/1 year, $131.00/2 years.

  • hzrhzr Member

    Comodo

    This seems to be the lowest I can find. The others (Thawte) start at 110/1yr minimums. Something I found interesting is if you follow blog links that are affiliate links, the prices go up compared to directly visiting some of these sites/resellers. Like directly visiting the seller would be $x, but going through an accidental aff link makes it $x+7 or whatever.

    Thanked by 1op23
  • williewillie Member
    edited August 2018

    hzr said:

    https://www.gogetssl.com/code-signing-certificates/comodo-codesigning-ssl/ - $83.85/1yr, $73.38/2yr

    Enroll in their reseller program (I've never heard of anyone getting declined for it) to get the discount price that I mentioned. It comes out to $65.50/year for the 2 year certificate. That's interesting about the leaderssl 3 year one since I didn't realize those were still issued.

  • SplitIceSplitIce Member, Host Rep

    This would actually be something I would love to see from LetsEncrypt complete with a backing virus scan record (VirusTotal partnership?).

    More reliable than using certificates as a sign of trust. I'm sure most serious ransomware authors can afford a fresh $75 certificate for each run they do.

  • ehhthingehhthing Member

    @SplitIce said:
    This would actually be something I would love to see from LetsEncrypt complete with a backing virus scan record (VirusTotal partnership?).

    More reliable than using certificates as a sign of trust. I'm sure most serious ransomware authors can afford a fresh $75 certificate for each run they do.

    Never going to happen, virus scans are too easy to bypass.

  • SplitIceSplitIce Member, Host Rep

    @ehhthing compared to a code signing certificate which provides no guarantee of anything other than the author has access to $75?

  • ehhthingehhthing Member

    @SplitIce said:
    @ehhthing compared to a code signing certificate which provides no guarantee of anything other than the author has access to $75?

    $75 is a higher entry requirement than obfuscation of code with free, publically available tools.

  • SplitIceSplitIce Member, Host Rep

    @ehhthing I'm sure there are undetected packers and crypters out there. But free publicly available tools generally get detected very quickly.

    Anyone seriously using code signing certificates for malicious purposes should be making many significant digits more than $75 per run so it's a non-argument. Some studies have shown an income on average of over $150k per year for ransomeware authors!

    I'd rather see less money in certificate cartels hands and more validation of whats actually being signed.

  • ehhthingehhthing Member

    @SplitIce said:
    @ehhthing I'm sure there are undetected packers and crypters out there. But free publicly available tools generally get detected very quickly.

    Anyone seriously using code signing certificates for malicious purposes should be making many significant digits more than $75 per run so it's a non-argument. Some studies have shown an income on average of over $150k per year for ransomeware authors!

    I'd rather see less money in certificate cartels hands and more validation of whats actually being signed.

    Public packers get falsely detected. You cannot detect something as a virus simply because it is packed. There are legitimate purposes for packing code (i.e. reduced file size, anti-piracy).

    Anti-Virus software have an astonishing false positive rate considering how bad they are at doing their task.

    Trust me, I'd love free code signing certificates, but I know it's not going to happen simply because it isn't needed for most software.

  • SplitIceSplitIce Member, Host Rep

    @ehhthing Funny I'm perfectly happy with the detection of a packed exe when it comes to a free certificate. You want to do something beyond the scope of normal - then go pay for a certificate (or a manual review etc).

    From the main AV vendors I've yet to see a false positive that wasn't on something that doesnt fall into a gray area (cracking software etc).

  • ehhthingehhthing Member
    edited August 2018

    @SplitIce said:
    @ehhthing Funny I'm perfectly happy with the detection of a packed exe when it comes to a free certificate. You want to do something beyond the scope of normal - then go pay for a certificate (or a manual review etc).

    From the main AV vendors I've yet to see a false positive that wasn't on something that doesnt fall into a gray area (cracking software etc).

    The closest thing I see to something like an "letsencrypt for software" is code certificates issued by GitHub or another company for open source software has has been manually reviewed.

    I've seen many programs that I've written falsely detected as malware. I've mostly seem it for C++ exes compiled with MiniGW. Getting past virus scans isn't just about obfuscation. Not doing low-level system calls, as well as working on a higher level language also easily bypass AV scans. For example, a ElectronJS EXE doesn't actually have any compiled user written code for a AV program to scan. They can only scan source files, which no major AV can actually properly scan. These source files are also often minified and combined, making it very hard to find where the actual user written code is found. Yes. At this level, ransomware and other types of viruses are very hard to implement, however, many pieces of malware can be written in JS. The basic "redirect home page" and "show ads on screen" can be implemented this way. Even keylogging is possible if you try hard enough.

  • bhaveshtechbhaveshtech Member

    @hzr said:
    Comodo

    This seems to be the lowest I can find. The others (Thawte) start at 110/1yr minimums. Something I found interesting is if you follow blog links that are affiliate links, the prices go up compared to directly visiting some of these sites/resellers. Like directly visiting the seller would be $x, but going through an accidental aff link makes it $x+7 or whatever.

    Yes, they are trusted code signing providers. But I have found another code signing provider where the price of code signing certificates starts from $69.99/1yr, $64.99/2yr, $49.99/3yr (Comodo Brand) &also check more code signing certificates from different brands - https://signmycode.com/code-signing-certificates

  • CerteraSSLCerteraSSL Member, Patron Provider

    Due to new CA/B Guideline all code signing certificates price now increased due to token and HSM based storage.

    But you can find the cheapest code signing option - Certera Code Signing Certificate from the CA Certera at lowest price now!

    You can buy from here:
    https://certerassl.com/certera-code-signing-certificate
    https://signmycode.com/certera-code-signing-certificate

    Same cert with all feature in less price!

Sign In or Register to comment.