In a bizarre and damaging scenario, RustDesk (a popular open source remote access tool) saw its code-signing certificate revoked by the company that provides it; Sectigo. This then led to a chain of events where RustDesk clients couldn’t run or be configured because of Windows SmartScreen errors and virus scanner false positives; effectively making the software useless. In some cases, Google’s Chrome browser would mark the RustDesk client as unsafe. This was an error on the certificate issuer Sectigo’s part, but given the power they’ve wielded over RustDesk, and no explanation for what happened (at the time), many were wondering how this could happen.
So, who’s the bad guy here?
Yes, RustDesk can be used by malicious hackers, as can really any useful tool. It’s always a double-edged sword for powerful utilities. Hammers are great for building as much as they are for violence. But this is what code-signing is supposed to help, right? It verifies the authenticity of the binary. But if a select group of gatekeepers decides your software is problematic, it can be marked for death.
In Sectigo’s later response to this, it seemed to blame a one-off detection on VirusTotal:
Of interest is Sectigo’s phrase, “if the reported misuse is confirmed or unresolved, [Sectigo will] revoke the certificate within 24 hours.” This appears to indicate that if someone else uses the software in a bad way, it’s RuskDesk’s responsibility to stop it or face permanent revocation. This is an absolutely insane standard to put software vendors up to given more utility and portability might mean the bad guys misuse it more. If RustDesk’s fundamentals are secure and sound, this should not be on them to fix how people use it.
After the dust settles, a ton of questions linger. Is it safe to centralize control for an entire swath of software, only to see it nullified so easily? Should there be additional safeguards when these vendors get overzealous? They clearly have no real incentive to check their work. If this point of failure is in the hands of one single company, is that too much power?
For now, there are a few workarounds. Most of them involve running only the EXE installer/uninstaller as administrator in a command prompt:
"C:\Program Files\RustDesk\RustDesk.exe" --uninstallInstall again as administrator and start the service. Once that’s done, RustDesk should be fine on future reboots. This is until the certificate can be re-issued and a new version of RustDesk can be released.