From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: [Bogus] Microsoft AuthenticodeT webcam viewer
 plugin

Andrew Clover <and-bugtraq@...desk.com> to me:

> > FWIW, I think the biggest "problem" here is that a CA (Thawte in this 
> > case) allows code-signing certificates with such ambiguous "names" as 
> > "Browser Plugin"
> 
> They also have a very limited interpretation of "malicious code". Thawte
> have refused to revoke certs issued to firms spreading homepage hijackers,
> spyware and commercial RATs. Unless it actually formats your hard disc,
> they do not, apparently, consider it malicious.

Does their AUP/ToS/etc require that their certs not be used for such 
things??

I'm not defending what you say is their position -- I just think that 
what you attribute the role of the CA as is not really what it is 
(certainly not what I have _ever_ taken it to be!).

Ownership of a certificate simply means that someone stumped up the 
cash (for a Thawte code signing cert that is about US$100/year) and the 
CA was "suitably convinced" that they really were (or genuinely 
represented) who they said they were (or represented).  It certainly 
says nothing of the quality of the certificate holder's ethics, morals, 
business model or anything else.  That part of the trust equation (the 
important part!) you still have to decide for yourself "the old (hard) 
way" -- no clever piece of mathematics can do that for you...

(BTW -- I'm fairly sure Andrew understands all this.  Take "you" to 
mean the "the collective fools who do not understand this".)

> > Would they allow a cert in the company name "IE Plugins" too?
> 
> See for yourself. www.ieplugin.com

And I thought I was making that one up!   8-)

Actually, ieplugin.com is a good example of what I suggested should be 
done.  First, their ActiveX control has a long description (outside the 
remit of the CA) that pretty clearly says what it does _and_ their 
company name is shown as "IE PLUGIN LTD" -- at least that suggests this 
is something from some third party rather than perhaps "slipping by" as 
looking like some inocuous (and possibly "necessary") add-on to the 
user's web browser, thereby implying "MS authenticity".

> Given the ease of creating a misleading company name, and the unwillingness
> of CAs to police abuse of their certs, one can only conclude that the
> Authenticode process is 100% useless as a means of ensuring code is
> trustworthy.

That is a non-sequiter.

Authenticode is useless as a means of ensuring code is trustworthy 
_independent_ of such an effort from the CAs.  _All_ Authenticode tells 
you is that someone was prepared to part with some cash and they found 
a CA they convinced that they were who they said they were.  In theory 
(at least if you trust the CA -- which I doubt few possibly could in 
Verisign's case once it issued code-signing certs under Microsoft's 
name to non-MS folk despite supposedly having extra special checking 
mechanisms for such a large and obviously "important" client), an 
Authenticode "all clear" means that if you were stupid enough to 
"trust" (in the big sense) a piece of signed code the CA can help you 
locate the rat-bag who signed it should you want to fry their balls...

Anyone who ever thought Authenticode ever bought them more than that 
was seriously delusional and obviously did not understand the basics of 
code-signing as a "trust mechanism" (because it isn't one despite what 
MS wants you to believe).  This is all part of why Authenitcode and 
ActiveX were always such fundamentally bad things and why the decision 
to take this route showed MS lacked even the most basic grasp of the 
fundamentals of security and trust.  That Autheticode has been "sold" 
(and worse, accepted by some) as anything else but a poor-man's excuse 
for "nothing much" is somewhere between really sad and criminal...


Regards,

Nick FitzGerald

Powered by blists - more mailing lists