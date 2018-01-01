from the jest-sine-hear dept.
Researchers break digital signatures for most desktop PDF viewers | ZDNet
A team of academics from the Ruhr-University Bochum in Germany say they've managed to break the digital signing system and create fake signatures on 21 of 22 desktop PDF viewer apps and five out of seven online PDF digital signing services.
[...] The five-person research team has been working since early October 2018 together with experts from Germany's Computer Emergency Response Team (BSI-CERT) to notify impacted services.
The team went public with their findings over the weekend after all affected app makers and commercial companies finished patching their products.
The reason why researchers were willing to wait months so all products would receive fixes is because of the importance of PDF digital signatures.
Digitally signed PDF documents are admissible in court, can be used as legally-binding contracts, can be used to approve financial transactions, can be used for tax filing purposes, and can be used to relay government-approved press releases and announcements.
Having the ability to fake a digital signature on an official PDF document can help threat actors steal large amounts of money or cause chaos inside private companies and public institutions.
(Score: 2) by JoeMerchant on Wednesday February 27, @01:19AM (2 children)
about as surprising as the location of tomorrow's sunrise.
(Score: 0) by Anonymous Coward on Wednesday February 27, @01:29AM (1 child)
Yea, I never gave a single thought to the idea these signatures were at all secure. It seemed like a joke to me... but if people accepted them then why not? It was way easier.
(Score: 2) by bob_super on Wednesday February 27, @01:38AM
I think I had to sign a few documents on a company PC ... which was taken away a few months later because IT policy said it was time.
I didn't save any key or anything, and I can't remember even entering my email (and definitely not my password) in the tool.
What gives the signature any legitimacy ?
(Score: 2) by MostCynical on Wednesday February 27, @01:43AM
and this is why law firms have couriers and fax machines.
Originals, and duplicates ("sign twice"- once on each copy) is the only way to be sure.
