[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3FA071BC.16579.19FAE2A5@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: [Bogus] Microsoft AuthenticodeT webcam viewer
plugin
Andrew Clover <and-bugtraq@...desk.com> to me:
> > FWIW, I think the biggest "problem" here is that a CA (Thawte in this
> > case) allows code-signing certificates with such ambiguous "names" as
> > "Browser Plugin"
>
> They also have a very limited interpretation of "malicious code". Thawte
> have refused to revoke certs issued to firms spreading homepage hijackers,
> spyware and commercial RATs. Unless it actually formats your hard disc,
> they do not, apparently, consider it malicious.
Does their AUP/ToS/etc require that their certs not be used for such
things??
I'm not defending what you say is their position -- I just think that
what you attribute the role of the CA as is not really what it is
(certainly not what I have _ever_ taken it to be!).
Ownership of a certificate simply means that someone stumped up the
cash (for a Thawte code signing cert that is about US$100/year) and the
CA was "suitably convinced" that they really were (or genuinely
represented) who they said they were (or represented). It certainly
says nothing of the quality of the certificate holder's ethics, morals,
business model or anything else. That part of the trust equation (the
important part!) you still have to decide for yourself "the old (hard)
way" -- no clever piece of mathematics can do that for you...
(BTW -- I'm fairly sure Andrew understands all this. Take "you" to
mean the "the collective fools who do not understand this".)
> > Would they allow a cert in the company name "IE Plugins" too?
>
> See for yourself. www.ieplugin.com
And I thought I was making that one up! 8-)
Actually, ieplugin.com is a good example of what I suggested should be
done. First, their ActiveX control has a long description (outside the
remit of the CA) that pretty clearly says what it does _and_ their
company name is shown as "IE PLUGIN LTD" -- at least that suggests this
is something from some third party rather than perhaps "slipping by" as
looking like some inocuous (and possibly "necessary") add-on to the
user's web browser, thereby implying "MS authenticity".
> Given the ease of creating a misleading company name, and the unwillingness
> of CAs to police abuse of their certs, one can only conclude that the
> Authenticode process is 100% useless as a means of ensuring code is
> trustworthy.
That is a non-sequiter.
Authenticode is useless as a means of ensuring code is trustworthy
_independent_ of such an effort from the CAs. _All_ Authenticode tells
you is that someone was prepared to part with some cash and they found
a CA they convinced that they were who they said they were. In theory
(at least if you trust the CA -- which I doubt few possibly could in
Verisign's case once it issued code-signing certs under Microsoft's
name to non-MS folk despite supposedly having extra special checking
mechanisms for such a large and obviously "important" client), an
Authenticode "all clear" means that if you were stupid enough to
"trust" (in the big sense) a piece of signed code the CA can help you
locate the rat-bag who signed it should you want to fry their balls...
Anyone who ever thought Authenticode ever bought them more than that
was seriously delusional and obviously did not understand the basics of
code-signing as a "trust mechanism" (because it isn't one despite what
MS wants you to believe). This is all part of why Authenitcode and
ActiveX were always such fundamentally bad things and why the decision
to take this route showed MS lacked even the most basic grasp of the
fundamentals of security and trust. That Autheticode has been "sold"
(and worse, accepted by some) as anything else but a poor-man's excuse
for "nothing much" is somewhere between really sad and criminal...
Regards,
Nick FitzGerald
Powered by blists - more mailing lists