[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200402110611.i1B6B6s5002782@caligula.anu.edu.au>
Date: Wed, 11 Feb 2004 17:11:06 +1100 (Australia/ACT)
From: Darren Reed <avalon@...igula.anu.edu.au>
To: mouse@...ents.Montreal.QC.CA (der Mouse)
Cc: bugtraq@...urityfocus.com
Subject: Re: Round One: "DLL Proxy" Attack Easily Hijacks SSL from Internet Explorer
In some mail from der Mouse, sie said:
>
> > Signed applications and signed DLLs and signed drivers [...] coming
> > to a Unix near you SOONER rather than later.
>
> > Or is that the kind of thing you disable upon installation because it
> > gets in the way of you being able to install whatever "you" want ?
>
> Depends. Does it include the tools necessary to sign my own code?
Not with the same key that signs software provided by the OS supplier,
that's for sure. Maybe not even at all.
> If not, yes, I will disable it, to the point of running a different OS
> if necessary.
So you will disable a function that provides you with a trusted, secure,
computing base because you cannot sign things yourself ? Are you really
trying to run a secure environment or one that you think you can control
yourself ? Do you see what I consider to be the obvious flaw in your
statement here and that is you would prefer to use a less secure system
because you seem to think that you are trustworthy. How does anyone
know that you're not a virus/worm writer ? Do we just have to take
your word for it ? The idea behind TCB moves that consider the user
"hostile" is not without merit.
Sooner or later, arguments that "I must do be in complete control and
be able to do everything myself" are going to be considered laughable.
Let me give you a hypothetical situation...
Some time from now, all major commercial OS's come with signed binaries,
libraries, etc and there's a major virus outbreak.
How does the virus manage to get executed everywhere? Well, it's not a
trusted application, for starters. (If it were then the signature would
provide the start of an audit trail for someone to blame.)
One reaction might be that government says you are not allowed to network,
either directly or indirectly, computers that allow unsigned applications
to run on them.
Now what are you going to do ? Disconnect your computer or argue that
you cannot trust the manufacturers and can only trust the programs you
compile yourself ? And that of course begs the question, why should
the rest of the world be expected to trust you ? Are you going to be
in a position where you can afford the kind of liability insurance
required to be a trusted source of computer applications ? Yes, this
sort of requirement may well and truely be the death of shareware
programs.
It's been rumoured that the successor to XP will be incompatible
in a significant way such that old applications will not run.
What if this kind of platform was part of it and the Microsoft idea
of solving the virus problem is to disallow execution of untrusted
applications, by default, without so much as a prompt to ask a user
yes or no, rendering all prior applications incompatible ? Well,
maybe that is hoping for too much.
I suppose to summarise, I see it something like this:
- people want applications to be able to provide extra value by
running scripts, binaries, easily, etc;
- worms exploit desired featurisms by exploiting people and should
be considered to be hostile/untrusted applications;
- by building up a proper TCB we eliminate execution of worms whilst
letting people continue to do what they want.
Darren
Powered by blists - more mailing lists