lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: capegeo at opengroup.org (George Capehart)
Subject: [Bogus] Microsoft AuthenticodeT webcam viewer plugin

On Wednesday 29 October 2003 08:04 am, Nick FitzGerald wrote:

<snip>

>
> Authenticode is useless as a means of ensuring code is trustworthy
> _independent_ of such an effort from the CAs.  _All_ Authenticode
> tells you is that someone was prepared to part with some cash and
> they found a CA they convinced that they were who they said they
> were.

This is why the CA's Certification Practice Statement (CPS) is so 
important . . . and why, if one is going to accept a certificate, they 
*really* should read the CPS and understand exactly what process the CA 
went through to determine the authenticity of the DN.  *Then* you 
should read the audit reports to see if the CA is really following the 
CPS.  If that information is not available publicly available, he/she 
who accepts those certs deserves what he/she gets.


  In theory (at least if you trust the CA -- which I doubt few
> possibly could in Verisign's case once it issued code-signing certs
> under Microsoft's name to non-MS folk despite supposedly having extra
> special checking mechanisms for such a large and obviously
> "important" client),

See above.

 an Authenticode "all clear" means that if you
> were stupid enough to "trust" (in the big sense) a piece of signed
> code the CA can help you locate the rat-bag who signed it should you
> want to fry their balls...

See above again.  That is true IFF the RA did it's job.

>
> Anyone who ever thought Authenticode ever bought them more than that
> was seriously delusional and obviously did not understand the basics
> of code-signing as a "trust mechanism" (because it isn't one despite
> what MS wants you to believe).  This is all part of why Authenitcode
> and ActiveX were always such fundamentally bad things and why the
> decision to take this route showed MS lacked even the most basic
> grasp of the fundamentals of security and trust.  That Autheticode
> has been "sold" (and worse, accepted by some) as anything else but a
> poor-man's excuse for "nothing much" is somewhere between really sad
> and criminal...
>

I think "nothing much" is being pretty generous . . . :->

Cheers,

/g
-- 
George Capehart

capegeo at opengroup dot org

PGP Key ID: 0x63F0F642 available on most public key servers

"It is always possible to agglutenate multiple separate problems into a
 single complex interdependent solution.  In most cases this is a bad
 idea."  -- RFC 1925

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ