Overview
On December 8th 2025, Sectigo abruptly revoked RustDesk’s Extended Validation (EV) Code Signing Certificate without presenting any evidence of malicious behavior or security compromise. This unilateral action immediately disrupted RustDesk users worldwide, triggering false SmartScreen warnings, breaking enterprise deployments, and damaging trust in the software supply chain.
As an open-source remote desktop project used by millions globally, RustDesk takes security and transparency as core principles.
Sectigo’s unjustified revocation — later admitted to be a false positive — represents not only a direct harm to our project but also a serious threat to the integrity of the global digital certificate trust model.
Why Sectigo’s Action Is Unacceptable
According to the CA/Browser Forum EV Code Signing Guidelines, a CA may revoke an EV certificate only when supported by verifiable, auditable evidence such
-
confirmed malicious activity,
-
verified key compromise,
-
fraudulent organization information, or
-
legal mandate.
None of these conditions applied to RustDesk.
Sectigo’s decision to revoke a critical EV certificate based on an internal false positive — without evidence, without warning, and without transparency — is a breach of industry standards and a dangerous precedent.
If a CA can arbitrarily revoke certificates, the entire trust system that underpins software distribution becomes fragile.
the conclusion:
Sectigo’s wrongful revocation of RustDesk’s EV certificate is not simply an isolated error — it highlights a structural vulnerability in the certificate trust ecosystem. […] This incident must not be ignored. It is a warning that the certificate authority model needs stronger accountability and oversight.
For me it’s a wonder and a mystery that this kind of system based on trust is working worldwise today. 🙃
Tangentally related but off topic: I thought that there were some security concerns about how it connects to their hosted TURN server, is developed in China etc. There was this issue that turned me off as well
I’ve been out of the loop on this project for a number of years now so this may be out of date.
I just vpn home and vnc when I need access to my devices.
Have things changed, is there a reason for me to give the project another look?
The way the author closed the issue is a bit sketchy but what’s weirder is that the OOP doesn’t state any of the arguments of his so called deleted forum posts, and instead just makes ungrounded accusations pointing to “supposed security risks others are talking about”.
Rustdesk is open source and self-hosteable. If there’s any actual major security flaws besides yelling “Chaina” (and I’d argue that you can do the same for US or Europe) it should be easy to show. It’s also end to end encrypted according to the repo,
CAs exist on trust and trust alone.
This, along with any other mistake, erodes that trust and will have damaged Sectigo’s reputation at least as much as Rustdesk’s.
I doubt there’s any conspiracy or higher figure at work here. Just human error.
Rustdesk will probably have a claim for financial losses and good luck if they pursue that - the admission of a mistake and breach of protocol makes it seem likely to be settled very quickly. The tone of this report suggests that this is somewhere they’ll be heading towards and I suspect Sectigo will pay handsomely to make this story short lived.
CA’s shouldn’t even exist.
I wonder how this trust-relationship issue could be adressed without having central authorities as CA’s.
A reputatuion-based system.
I didn’t notice any issues with my self hosted Rustdesk setup, but I guess this would freak out new users.
