this post was submitted on 11 Dec 2025
91 points (97.9% liked)

Open Source

42617 readers
47 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 6 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
91
Sectigo’s Wrongful Revocation of RustDesk’s EV Certificate: A Concerning Precedent for the Software Security Ecosystem (github.com)
submitted 4 days ago by geneva_convenience@lemmy.ml to c/opensource@lemmy.ml
8 comments fedilink hide all child comments
 

Overview

On December 8th 2025, Sectigo abruptly revoked RustDesk’s Extended Validation (EV) Code Signing Certificate without presenting any evidence of malicious behavior or security compromise. This unilateral action immediately disrupted RustDesk users worldwide, triggering false SmartScreen warnings, breaking enterprise deployments, and damaging trust in the software supply chain.

As an open-source remote desktop project used by millions globally, RustDesk takes security and transparency as core principles.

Sectigo’s unjustified revocation — later admitted to be a false positive — represents not only a direct harm to our project but also a serious threat to the integrity of the global digital certificate trust model.

Why Sectigo’s Action Is Unacceptable

According to the CA/Browser Forum EV Code Signing Guidelines, a CA may revoke an EV certificate only when supported by verifiable, auditable evidence such

  • confirmed malicious activity,

  • verified key compromise,

  • fraudulent organization information, or

  • legal mandate.

None of these conditions applied to RustDesk.

Sectigo’s decision to revoke a critical EV certificate based on an internal false positive — without evidence, without warning, and without transparency — is a breach of industry standards and a dangerous precedent.

If a CA can arbitrarily revoke certificates, the entire trust system that underpins software distribution becomes fragile.

you are viewing a single comment's thread
view the rest of the comments
[–] mmmac@lemmy.zip 3 points 3 days ago (1 children)

Tangentally related but off topic: I thought that there were some security concerns about how it connects to their hosted TURN server, is developed in China etc. There was this issue that turned me off as well

I've been out of the loop on this project for a number of years now so this may be out of date.

I just vpn home and vnc when I need access to my devices.

Have things changed, is there a reason for me to give the project another look?

[–] geneva_convenience@lemmy.ml 4 points 3 days ago* (last edited 3 days ago)

The way the author closed the issue is a bit sketchy but what's weirder is that the OOP doesn't state any of the arguments of his so called deleted forum posts, and instead just makes ungrounded accusations pointing to "supposed security risks others are talking about".

Rustdesk is open source and self-hosteable. If there's any actual major security flaws besides yelling "Chaina" (and I'd argue that you can do the same for US or Europe) it should be easy to show. It's also end to end encrypted according to the repo,