| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Feb 2004 23:56:29 -0500 (EST) From: der Mouse <mouse@...ents.Montreal.QC.CA> To: "John D. Hardin" <jhardin@...sec.org>, Darren Reed <avalon@...igula.anu.edu.au>, bugtraq@...urityfocus.com Subject: Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer >> Depends. Does it include the tools necessary to sign my own code? >> If so, what's to stop a malware creator from using those same tools >> to sign the attack vector? > How does the malware author get the private half of a public key you > trust for software installations? The same way you do, of course. Most likely it pops up a box asking for it. Given how boneheaded most users seem to be, and given that signatures will be needed on most software installs, this will be a common sight to many users, and they will probably cheerfully type in whatever is necessary to fetch/decrypt it. Look at how effective phishing attacks are. No, that wouldn't work against me (or, I would hope, you). But I wouldn't be running such a thing anyway, and even if I were-- having to type a passphrase every time I recompiled something would be intolerable, and if it were automated, malware could automate the signing just as well as my compiler front-end could. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse@...ents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Powered by blists - more mailing lists