lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3FA0EE05.16903.55AB6B@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: [Bogus] Microsoft AuthenticodeT webcam viewer
 plugin

"Lan Guy" <rlanguy@...mail.com> wrote:

> Some time, like 2 or 3 years ago some group registered their Own Certs in
> the name of Microsoft Corporation.
> http://slashdot.org/articles/01/03/22/1947233.shtml

Yeah, I know.

That's why I take anything with a Verisign cert with two grains of salt 
-- at least if the signature is good I know the file is unchanged 
relative to what whoever signed it wanted me to get, but beyond that I 
expect _nothing_.

Oddly MS did not immediately drop Verisign, get a whole bunch of new 
certs from another CA and revoke all their Verisign certs.  That alone 
showed that either MS did not value at the all the tiny additional 
amount of "trust" a truly good CA can add to the equation, or that MS 
did not understand (or, more likely, was unprepared for marketing 
reasons to admit) that Authenticode is really just a sham adding 
nothing of significant value to the security of mobile code.


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ