But what if you received unnerving warning messages telling you that the software can\u2019t be trusted or that Windows couldn\u2019t verify the publisher? This indicates that the publisher didn\u2019t apply a valid digital signature to their product. And not digitally signing your software is a big red flag from a security standpoint.<\/p>\n\n\n\n
But what is a digital signature in terms of security? It\u2019s time to explore what a digital signature is and why using this type of verification method is crucial to your organization\u2019s defenses and reputation.<\/p>\n\n\n\n
Let\u2019s hash it out.<\/span><\/p>\n\n\n<\/span><\/span>\n\n\n A digital signature, also called a public key signature<\/a>, is a digital identifier that you can apply to files, email communications, websites, and other digital assets to prove their authenticity. It\u2019s a special type of electronic signature<\/a> that uses cryptography to show that your data is legitimate and hasn\u2019t been messed with. (All digital signatures are electronic signatures, but not all electronic signatures are digital ones \u2014 it\u2019s like how all types of ice cream are desserts but not all desserts are ice cream.)<\/p>\n\n\n\n Before the internet, people had to be in the same physical location to verify one another\u2019s identities and exchange secure communications. Now, you can use a digital signature to verify that you\u2019re really you and that the file or site you created is authentic without having to meet the other party face to face. For example, I could share a digitally signed file with a friend in Australia and they\u2019d be able to verify that I created it without actually being here next to me to observe my actions.<\/p>\n\n\n\n Digital signatures rely on public key infrastructure<\/a> (PKI) \u2014 a system that uses two separate but related keys to secure data via encryption \u2014 and digital certificates. PKI is the foundation of security on the internet; it\u2019s all about providing a way to remotely authenticate parties and prove that the integrity of their data hasn\u2019t been compromised so the parties can communicate securely.<\/p>\n\n\n\n Are digital signatures 100% foolproof? Of course not \u2014 no technology is. In this case, their effectiveness depends on the strength of the cryptographic algorithms used and your ability to secure your digital certificates\u2019 private keys. (If you don\u2019t secure your keys and they fall into the wrong hands, then bad guys can use them to sign counterfeit software and raise all kinds of hell.)<\/p>\n\n\n\n But while digital signatures aren\u2019t perfect, they\u2019re a great solution in an age when virtually instantaneous remote communications are the norm. <\/p>\n\n\n\n In a nutshell, digital signatures facilitate both of the following:<\/p>\n\n\n\n A digital signature irrefutably ties you or your organization\u2019s digital identity to your digital certificate and key. A digital certificate, such as an SSL\/TLS certificate<\/a>, is a data file that contains information about you and\/or your company and the entity (i.e., a publicly trusted certificate authority [CA]) that issued the certificate to you.<\/p>\n\n\n\n Why does it matter who issued the certificate? Every publicly trusted digital certificate is issued by a third-party CA (think DigiCert, Sectigo, etc.). This is an entity that has to meet strict industry standards in order to have the authority to issue certificates that are trusted by browsers and operating systems. When a CA issues a certificate to you or your company, they use their good name and reputation to vouch for you and help you establish trust. <\/p>\n\n\n<\/span><\/span>\n\n\n In some ways, applying a digital signature is similar to having a public notary. When signing important documents, you typically are required to have the notary witness the signing, verify your identity, and add their stamp to affirm the authenticity of your signature. This is because a notary public has been given the authority to sign and attest to the signing of documents in an official capacity.<\/p>\n\n\n\n Likewise, a certificate authority acts similarly, essentially affirming that:<\/p>\n\n\n\n Much like how a notary needs to check your government-issued ID card to verify your identity, certificate authorities also validate you or your business by checking official government records and other trusted third-party resources. Once the CA verifies this information, they\u2019ll issue you a certificate from a trusted root.<\/p>\n\n\n\n A trusted root, or root CA, is part of a critical element of public key cryptography called a \u201cchain of trust.\u201d Basically, this is a line of digital certificates, and each certificate contains information from the previous certificate that was used to sign it. In a traditional chain of trust:<\/p>\n\n\n\n Here\u2019s a quick look at the chain of trust for The SSL Store\u2019s SSL\/TLS certificate:<\/p>\n\n\n\n When you add digital identity to your data, it’s shared with others. You\u2019re letting those parties know that your data is authentic and hasn\u2019t been messed with since you signed it. But that\u2019s not the only way that integrating digital signatures into your organization\u2019s cyber defenses can help you.<\/p>\n\n\n\n Adding digital signatures to your emails, documents, software, and digital communications also:<\/p>\n\n\n\n You now know what a digital signature is and what it does. But where can you find these digital identifiers in use? Virtually everywhere, if you know what to look for! Digital signatures are commonly used to secure files and data for organizations in the following industries for organizations across virtually all sectors, including banking, government, healthcare, and sales.<\/p>\n\n\n\n Here are a few examples of common digital signature uses:<\/p>\n\n\n\n Look at the top of your browser at the web address bar. See the little security padlock icon in your web browser? This means that your website is secured via the HTTPS protocol.<\/p>\n\n\n\n Image caption: A screenshot of TheSSLStore.com\u2019s home page with the security padlock icon highlighted.<\/em><\/p>\n\n\n\n When you initially connected to our website (TheSSLStore.com), our web server sent your browser an SSL\/TLS certificate. This certificate contains a wealth of verifiable identifying information about our domain and company. It also includes the digital signature of the publicly trusted certificate authority that issued the certificate to us. Your browser verifies this digital signature as part of the SSL\/TLS handshake<\/a> process that creates a secure, encrypted communication channel.<\/p>\n\n\n\n To enable HTTPS on your website, purchase and install an SSL\/TLS certificate<\/a> on your web server.<\/p>\n\n\n\n When you add a digital signature to your outbound emails, it offers your recipients assurance that the emails are legitimate and came from your email client. It\u2019ll look something like the image below (which was captured in Microsoft Outlook).<\/p>\n\n\n\n If you want to prove your emails are authentic and haven\u2019t been tampered with, you can digitally sign your message and all attachments. Simply add an email signing certificate<\/a> to your email client (such as Outlook) and have at it. Once you do this and enable the digital signing feature, it makes the little verification ribbon appear in your outbound emails.<\/p>\n\n\n\n You can also add an optional timestamp, which shows the precise date and time when your email was signed and verified. (This is always a good idea, as far as we\u2019re concerned!)<\/p>\n\n\n\n Creating fraudulent Office documents isn\u2019t rocket science \u2014 virtually anyone can do it. So, if you want to ensure that no one tampers with your PDF and Microsoft Office files, you can do so by attaching your digital signature. This is akin to giving your files an official stamp of authenticity, much like the notary stamp we mentioned earlier.<\/p>\n\n\n\n Here\u2019s a quick example of how it looks when you use a document signing certificate to sign your Adobe PDF files:<\/p>\n\n\n\n As you can see, the digital signature provides the signer\u2019s name, date, and time of when the digital signature was applied. Furthermore, you can click on Certificate Details<\/strong> to view additional information, including:<\/p>\n\n\n\n Note that this digital signature is different from a basic typed signature (which can be easily faked). To start adding digital signatures to your files, you\u2019ll need to first get a document signing certificate<\/a>. After that, you\u2019ll need to install it in your device or client\u2019s trust store.<\/p>\n\n\n\n The same concept applies to your code and executables. If you want to provide assurance that your software is legitimate and isn\u2019t counterfeit, digitally sign your executables using a standard code signing certificate. This will enable your verified organization information to display in the warning windows instead of the dreaded \u201cUnknown\u201d publisher message.<\/p>\n\n\n\n But if you want to take your digital identity to another level, use an extended validation (EV) code signing certificate. Doing this ensures your software will automatically be trusted by browsers and operating systems and won\u2019t trigger the Microsoft Defender SmartScreen warnings like the one above.<\/p>\n\n\n\n For all you IoT lovers out there, this one is for you. Digital signatures are a great way to add verifiable digital identity to your smart technologies. If you\u2019ve got remote monitoring devices deployed in the field, you need a way to verify that it\u2019s your legitimate devices that are connecting to your network.<\/p>\n\n\n\n Using digital certificates for these devices enables you to harness the power of digital signatures (and public key cryptography as a whole) to keep your network and device data as secure as possible.<\/p>\n\n\n\n We already wrote a comprehensive article on how digital signatures work<\/a>, so we\u2019re not going to dive into all of that again here. Here\u2019s the quick overview of how using a digital signature works using an example of signing an executable:<\/p>\n\n\n\nWhat Is a Digital Signature? A Look at This Type of Electronic Signature<\/h2>\n\n\n\n
PKI Is What Makes Digital Signatures Possible<\/h3>\n\n\n\n
What Do Digital Signatures Do? It\u2019s All About Creating and Fostering Trust<\/h2>\n\n\n\n
\n
Using a Digital Signature Is Like Hiring a Notary Public…<\/h3>\n\n\n\n
\n
Digital Signatures Rely on the Issuing CA\u2019s Chain of Trust<\/h2>\n\n\n\n
\n
![\"SSL\/TLS](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/11\/thesslstore-digital-signature-SSL-TLS-chain-of-trust-example-1024x472.jpg\")
Why Digital Signatures Matter to Your Organization<\/h2>\n\n\n\n
\n
5 Ways You\u2019re (Probably) Already Using Digital Signatures Within Your Organization<\/h2>\n\n\n\n
1. Create Secure Website Connections<\/h3>\n\n\n\n
![\"The](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/thesslstore-site-padlock-shadow-1024x455.png\")
<\/figure>\n\n\n\n2. Authenticate Your Email Communications<\/h3>\n\n\n\n
![\"An](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/03\/email-signing-certificate-valid-digital-signature.png\")
3. Offer Assurance of Your Digital Files\u2019 Authenticity<\/h3>\n\n\n\n
![\"A](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/11\/adobe-pdf-digital-signature.png\")
\n
4. Ensure the Authenticity of Your Software, Code, and Containers<\/h3>\n\n\n\n
![\"Two](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/verified-vs-unverified-publisher-examples.jpg\")
5. Establish Digital Identities for Your Network\u2019s Connected Devices<\/h3>\n\n\n\n
How Digital Signatures Work<\/h2>\n\n\n\n
![\"Three](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/09\/winsdksetup-digitally-signed-software-example-1024x443.jpg\")