New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
From what I could find ~6 months ago, $70 was the cheapest. It was a comodo one.
On gogetssl.com reseller I see Comodo $75.00/1 year, $131.00/2 years.
Comodo
This seems to be the lowest I can find. The others (Thawte) start at 110/1yr minimums. Something I found interesting is if you follow blog links that are affiliate links, the prices go up compared to directly visiting some of these sites/resellers. Like directly visiting the seller would be $x, but going through an accidental aff link makes it $x+7 or whatever.
https://www.gogetssl.com/code-signing-certificates/comodo-codesigning-ssl/ - $83.85/1yr, $73.38/2yr
Enroll in their reseller program (I've never heard of anyone getting declined for it) to get the discount price that I mentioned. It comes out to $65.50/year for the 2 year certificate. That's interesting about the leaderssl 3 year one since I didn't realize those were still issued.
This would actually be something I would love to see from LetsEncrypt complete with a backing virus scan record (VirusTotal partnership?).
More reliable than using certificates as a sign of trust. I'm sure most serious ransomware authors can afford a fresh $75 certificate for each run they do.
Never going to happen, virus scans are too easy to bypass.
@ehhthing compared to a code signing certificate which provides no guarantee of anything other than the author has access to $75?
$75 is a higher entry requirement than obfuscation of code with free, publically available tools.
@ehhthing I'm sure there are undetected packers and crypters out there. But free publicly available tools generally get detected very quickly.
Anyone seriously using code signing certificates for malicious purposes should be making many significant digits more than $75 per run so it's a non-argument. Some studies have shown an income on average of over $150k per year for ransomeware authors!
I'd rather see less money in certificate cartels hands and more validation of whats actually being signed.
Public packers get falsely detected. You cannot detect something as a virus simply because it is packed. There are legitimate purposes for packing code (i.e. reduced file size, anti-piracy).
Anti-Virus software have an astonishing false positive rate considering how bad they are at doing their task.
Trust me, I'd love free code signing certificates, but I know it's not going to happen simply because it isn't needed for most software.
@ehhthing Funny I'm perfectly happy with the detection of a packed exe when it comes to a free certificate. You want to do something beyond the scope of normal - then go pay for a certificate (or a manual review etc).
From the main AV vendors I've yet to see a false positive that wasn't on something that doesnt fall into a gray area (cracking software etc).
The closest thing I see to something like an "letsencrypt for software" is code certificates issued by GitHub or another company for open source software has has been manually reviewed.
I've seen many programs that I've written falsely detected as malware. I've mostly seem it for C++ exes compiled with MiniGW. Getting past virus scans isn't just about obfuscation. Not doing low-level system calls, as well as working on a higher level language also easily bypass AV scans. For example, a ElectronJS EXE doesn't actually have any compiled user written code for a AV program to scan. They can only scan source files, which no major AV can actually properly scan. These source files are also often minified and combined, making it very hard to find where the actual user written code is found. Yes. At this level, ransomware and other types of viruses are very hard to implement, however, many pieces of malware can be written in JS. The basic "redirect home page" and "show ads on screen" can be implemented this way. Even keylogging is possible if you try hard enough.
Yes, they are trusted code signing providers. But I have found another code signing provider where the price of code signing certificates starts from $69.99/1yr, $64.99/2yr, $49.99/3yr (Comodo Brand) &also check more code signing certificates from different brands - https://signmycode.com/code-signing-certificates
Due to new CA/B Guideline all code signing certificates price now increased due to token and HSM based storage.
But you can find the cheapest code signing option - Certera Code Signing Certificate from the CA Certera at lowest price now!
You can buy from here:
https://certerassl.com/certera-code-signing-certificate
https://signmycode.com/certera-code-signing-certificate
Same cert with all feature in less price!
You can get cheap code signing at just $64/year. Its a good deal for your code protection.
I tell people to write deb [trusted=yes] and call it a day.
god the necro's.
Necro the forgotten gods