Re: Code Signing ???

[Devdas Bhagat <devdas () dvb homelinux org>]

On 13/08/05 22:25 -0700, Saqib Ali wrote:
> I am a regular reader of Bruce Schneier's Blog, Articles, and Books,
> and I really like what he writes. However I recently read his book
> titled "Secret and Lies" and I think he has done some in-justice to
> the security provided by the "Code Signing".
>
> On page 163 of his books, he (Bruce Schneier) basically states that
> "Code signing, as it is currently done, sucks".
>
> Even though I think that Code Signing has its flaws, it does provide a
> fairly good mechanism for increasing security in an organization.
>
> The following are the reasons that he (Bruce Schneier) gives:
>
> Bruce's Argument #1) Users have no idea how to decide if a particular
> signer is trusted or not.
>
> My comments: True. However in an organization is the job of the
> IT/security dept to make that determination. It shouldn't be left up
> to users. The IT dept should know not to trust "Snake Oil Corp.",
> however anything from "Citrix Corp" should be fairly safe. Moreover

Assuming that it isn't terribly difficult to obtain such a certificate.

> Windows XP SP2 provides provides a mechanism to create a Whitelist of
> certain trusted signers, and reject everything else. This is a very
> powerful security mechanism, and greatly increase the security in a
> corporate environment, if the workstations are properly configured.
> Having said that, this feature may not be that useful for home user,
> who can not tell the difference between Snake Oil and Citrix Corp.

And we have had Verisign issuing a certificate to random people in the
name of Microsoft[1]. Also, even the IT department cannot trust a random
binary, unless it comes over a trusted channel and from a trusted source.
"It does only this, and does not send out personal information to tthe
world".

It does nothing to protect home users, who do not have an IT department
and a firewall to protect them. On the other hand, with MS marketing
signed code as trustworthy and safe, they are even more at risk from
signed executables dropping in spyware and adware.

With the increased crap on their systems spewing out data on the
network, users who actually care about security are affected.

> Bruce's Argument #2) Just because a component is signed doesn't mean
> that it is safe.
>
> My Comments: I fully agree with this. However Code Signing was never
> intended for this purpose. Code signing was design to prove the
> authenticity and integrity of the code. It was never designed to
> certify that the piece is also securely written.
It only proves that someone was willing to spend some money on getting a
certificate in that name. Can you give a single good reason to trust a
CA who you do not personally know? And a million other people trust them
is not a good reason. A web of trust is far more useful than a simple
tree.[2]

> Bruce's Argument #3)  Just because two component are individually
> signed does not mean that using them together is safe; lots of
> accidental harmful interactions can be exploited.
>
> My comment: Again Code Signing was was never designed to accomplish this.
And that is a large reduction in security. Remember, you cannot blame
the vendor (EULA). So the code signing merely proves that the code did,
in fact, come from that vendor. Which is of no use, since there is no
compensation for bad code.

> Bruce's Argument #4) "safe" is not all-or-nothing thing; there are
> degrees of safety.
>
> My comment: I agree with this statement.
>
> Bruce's Argument #5) The fact that the evidence of attack (the
> signature on the code) is stored on the computer under attack is
> mostly useless: The attack could delete or modify the signature during
> the attack, or simple reformat the drive where the signature is
> stored.
>
> My comments: I am not sure what this statement mean. I think this type
> of attack is outside the realm of Code Signing.
If I can compromise the system, I can change the executable and delete
the signature. Since the executable will work fine without the
signature, it isn't really effective.

Devdas Bhagat
[1] Verisign has claimed that it has fixed its practices since that
event.
[2] IIRC, OpenCA is attempting something similar for TLS certificates.