* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Threat Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/threat-advisory-analysis/)
* On the Internet, Trust is...

# On the Internet, Trust is Fleeting

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2012%2F06%2Fon-the-internet-trust-is-fleeting%2F)  
[](https://twitter.com/share?text=On+the+Internet%2C+Trust+is+Fleeting&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2012%2F06%2Fon-the-internet-trust-is-fleeting%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2012%2F06%2Fon-the-internet-trust-is-fleeting%2F&title=On+the+Internet%2C+Trust+is+Fleeting&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2012/06/on-the-internet-trust-is-fleeting/&ts=markdown)  
\[\](mailto:?subject=On the Internet, Trust is Fleeting)  
Link copied  
By [Brian Tokuyoshi](https://www.paloaltonetworks.com/blog/author/brian/?ts=markdown "Posts by Brian Tokuyoshi")  
Jun 07, 2012  
5 minutes  
[Threat Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/threat-advisory-analysis/?ts=markdown)  
[Flame](https://www.paloaltonetworks.com/blog/tag/flame/?ts=markdown)  
[malware](https://www.paloaltonetworks.com/blog/tag/malware/?ts=markdown)

As further analysis of Flame come to light, one of the most interesting aspects of it comes from the way that it establishes trust. Or, perhaps more accurately, how it appropriated it. Flame was able to make its software packages appear that they came from Microsoft. In recent days, Microsoft has been working to correct the problem by getting patches pushed out as well as taking steps to harden Windows Update from the techniques that Flame used for a Man in the Middle attack.

The process of establishing trust on the Internet relies on a system of certificate authorities that are already trusted by your operating system and web browser. Certificates issued by said certificate authorities are also trusted by virtue of having a chain back to a trusted root. In other words, I'll trust you as long as both of us trust the same 3^rd^ party. Microsoft is just one company that maintains a certificate authority. There are hundreds of others around the world.

While public key infrastructure (PKI) has a number of uses, one of the most used applications of PKI has been for server-side SSL certificates and code signing certificates. These are particularly useful because it's dealing with a one-to-many trust relationship. An ecommerce site needs to be able to prove that it's legitimate to all of its users. A company that distributes patches over the Internet can sign the code so all of the recipients know that it's for real.

While trust is easily given in this method, it's also very hard to take away. With PKI, you can generate a Certificate Revocation List (CRL) which is a static list of certificates that you shouldn't trust anymore. It's a system that's hard to scale and it's also not very practical for endpoints because it depends on the host to perform the checks against a list of every potentially bad certificate in existence. If any of you are old enough to remember this, it's like the books of invalid credit card numbers that merchants used to use before the electronic point of sale became mainstream.

There's an online method of checking a certificate through Online Certificate Status Protocol, which has a mixed level of adoption by both the endpoint and by certificate authorities. The third method is through software updates, which is used to add a trusted root certificate and can also be used to remove one. All three scenarios could work in a perfect world, but in the real world, it can be actually quite difficult to make a community of users stop trusting a certificate as soon as a risk emerges.

In recent years, there have been numerous cases of dangerous conditions where certificates needed to be revoked immediately. There were issues such the [creation of an subordinate certificate authority linked to a trusted root](http://threatpost.com/en_us/blogs/mozilla-warn-cas-about-issuing-mitm-certificates-021412), there's been trusted [certificates issued to an unauthorized party](http://www.wired.com/threatlevel/2011/03/comodo-compromise/), and there's [been the use of stolen private keys used to sign code](http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1), just to name a few. Research into Flame reveals that the attackers took an entirely different approach by [using a hash collision to build a code signing certificate](https://threatpost.com/en_us/blogs/flame-malware-uses-forged-microsoft-certificate-validate-components-060412) chained to Microsoft.

Some people see this as a supply problem, in that owners of certificates need to be proactive about cleaning up the use of weak cryptographic algorithms and keys. Yet as pointed out earlier, on the consumption side, it's hard to remove trust in a certificate. For the enterprise looking to protect their users, it can be very challenging making sure every endpoint stops trusting a certificate in order to prevent unwarranted trust in a website or code.

[Microsoft has issued an update](http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx) that revokes the certificates that were exploited in this trust relationship, so the right process to remove trust has been initiated on the supply side. Enterprises, however, typically cannot get patches issued to thousands of endpoints on the turn of a dime, and there is a window of exposure between a patch's availability and the patch being fully deployed. As a result, code tied to the attacker's certificate could still be trusted, thus posing continued risk of exposure.

This is just one example why enterprise network security plays such a critical role to protecting endpoints. It also highlights a reason why network security should be in place even for mobile users through an always-on remote access connection, as it would be otherwise impossible to patch or protect an unconnected endpoint.

In terms of vulnerability protection, Palo Alto Networks has issued a number of signature updates that detect the presence of Flame, such as the ability to identify Flame's Command and Control Traffic. More importantly, there are also new signature updates that detect files signed by the invalid certificates, thus providing enterprises with the ability to spot untrusted code even in advance of the installation of the patch or confirmation of the certificate's revocation.

There's a lot of talk that's going on about what needs to be done to prevent the abuses of trust found in the Certificate Authority system. There is discussion about whether changes need to be done to remove trust more quickly. Ultimately, however, enterprises can't wait for changes in the system to occur, and that's why it's critical to have vulnerability protection and network security delivering the means for enterprises to protect themselves.

*** ** * ** ***

## Related Blogs

### [Product Features](https://www.paloaltonetworks.com/blog/sase/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### A New Phishing Frontier: From Email to SaaS Collaboration Apps](https://www.paloaltonetworks.com/blog/sase/a-new-phishing-frontier-from-email-to-saas-collaboration-apps/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Using YARA to Automate Malware Identification and Classification in XSOAR](https://www.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-creating-threat-hunting-rules-in-cortex-xsoar/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Battling macOS Malware with Cortex AI](https://www.paloaltonetworks.com/blog/security-operations/battling-macos-malware-with-cortex-ai/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Agentless Workload Scanning Gets Supercharged with Malware Scanning](https://www.paloaltonetworks.com/blog/2023/06/agentless-malware-scanning/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### Barracuda Networks Has a Predator that Can't be Patched](https://www.paloaltonetworks.com/blog/security-operations/barracuda-networks-has-a-predator-that-cant-be-patched/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Guarding Against Malware in 2023: 4 Predictions to Enhance Your Security Strategy](https://www.paloaltonetworks.com/blog/network-security/network-threat-trends-malware-attacks/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language