Full Disclosure mailing list archives
Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 30 Oct 2003 02:04:44 +1300
Andrew Clover <and-bugtraq () doxdesk com> to me:
FWIW, I think the biggest "problem" here is that a CA (Thawte in this case) allows code-signing certificates with such ambiguous "names" as "Browser Plugin"They also have a very limited interpretation of "malicious code". Thawte have refused to revoke certs issued to firms spreading homepage hijackers, spyware and commercial RATs. Unless it actually formats your hard disc, they do not, apparently, consider it malicious.
Does their AUP/ToS/etc require that their certs not be used for such things?? I'm not defending what you say is their position -- I just think that what you attribute the role of the CA as is not really what it is (certainly not what I have _ever_ taken it to be!). Ownership of a certificate simply means that someone stumped up the cash (for a Thawte code signing cert that is about US$100/year) and the CA was "suitably convinced" that they really were (or genuinely represented) who they said they were (or represented). It certainly says nothing of the quality of the certificate holder's ethics, morals, business model or anything else. That part of the trust equation (the important part!) you still have to decide for yourself "the old (hard) way" -- no clever piece of mathematics can do that for you... (BTW -- I'm fairly sure Andrew understands all this. Take "you" to mean the "the collective fools who do not understand this".)
Would they allow a cert in the company name "IE Plugins" too?See for yourself. www.ieplugin.com
And I thought I was making that one up! 8-) Actually, ieplugin.com is a good example of what I suggested should be done. First, their ActiveX control has a long description (outside the remit of the CA) that pretty clearly says what it does _and_ their company name is shown as "IE PLUGIN LTD" -- at least that suggests this is something from some third party rather than perhaps "slipping by" as looking like some inocuous (and possibly "necessary") add-on to the user's web browser, thereby implying "MS authenticity".
Given the ease of creating a misleading company name, and the unwillingness of CAs to police abuse of their certs, one can only conclude that the Authenticode process is 100% useless as a means of ensuring code is trustworthy.
That is a non-sequiter. Authenticode is useless as a means of ensuring code is trustworthy _independent_ of such an effort from the CAs. _All_ Authenticode tells you is that someone was prepared to part with some cash and they found a CA they convinced that they were who they said they were. In theory (at least if you trust the CA -- which I doubt few possibly could in Verisign's case once it issued code-signing certs under Microsoft's name to non-MS folk despite supposedly having extra special checking mechanisms for such a large and obviously "important" client), an Authenticode "all clear" means that if you were stupid enough to "trust" (in the big sense) a piece of signed code the CA can help you locate the rat-bag who signed it should you want to fry their balls... Anyone who ever thought Authenticode ever bought them more than that was seriously delusional and obviously did not understand the basics of code-signing as a "trust mechanism" (because it isn't one despite what MS wants you to believe). This is all part of why Authenitcode and ActiveX were always such fundamentally bad things and why the decision to take this route showed MS lacked even the most basic grasp of the fundamentals of security and trust. That Autheticode has been "sold" (and worse, accepted by some) as anything else but a poor-man's excuse for "nothing much" is somewhere between really sad and criminal... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Bogus] Microsoft AuthenticodeT webcam viewer plugin morning_wood (Oct 28)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 28)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Lan Guy (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Valdis . Kletnieks (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Lan Guy (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin George Capehart (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Valdis . Kletnieks (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 28)
- <Possible follow-ups>
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)