Security Now (Audio) SN 1059: MongoBleed - Code Signing Under Siege
38 snips
Jan 7, 2026 Discover why code-signing certificates are becoming shorter and more expensive, pushing developers towards costly cloud solutions. The hosts explore the MongoBleed vulnerability and its significant implications for data security. They also delve into the security enhancements coming to the Python Package Index and discuss the curious ban on Raspberry Pis during a New York City inauguration. Plus, get insights on the potential pitfalls of ChatGPT's shift to an advertising model and learn about the fascinating connection between Vitamin D and magnesium.
AI Snips
Chapters
Books
Transcript
Episode notes
Shortened Code-Signing Lifetimes Favor CAs
- The CA/Browser Forum voted to cut code-signing certificate lifetimes from 39 months to 15 months starting March 1, 2026.
- Steve Gibson argues this change mostly benefits CAs by pushing developers toward costly cloud signing subscriptions.
Cloud Signing Creates Vendor Lock-In
- Cloud-based code signing lets providers hold customers' private keys and sign remotely, creating subscription dependency.
- Steve warns this centralizes control and encourages outsourcing of private keys for convenience and profit.
TLS Short-Lived Certs Set The Pattern
- The TLS certificate lifetime reductions set a precedent: frequent renewals push automation and cloud services.
- Steve sees the same trajectory happening for code signing, favoring large providers and automation.
