Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin

[Nick FitzGerald <nick () virus-l demon co uk>]

"Lan Guy" <rlanguy () hotmail com> wrote:

> Some time, like 2 or 3 years ago some group registered their Own Certs in
> the name of Microsoft Corporation.
> http://slashdot.org/articles/01/03/22/1947233.shtml

Yeah, I know.

That's why I take anything with a Verisign cert with two grains of salt 
-- at least if the signature is good I know the file is unchanged 
relative to what whoever signed it wanted me to get, but beyond that I 
expect _nothing_.

Oddly MS did not immediately drop Verisign, get a whole bunch of new 
certs from another CA and revoke all their Verisign certs.  That alone 
showed that either MS did not value at the all the tiny additional 
amount of "trust" a truly good CA can add to the equation, or that MS 
did not understand (or, more likely, was unprepared for marketing 
reasons to admit) that Authenticode is really just a sham adding 
nothing of significant value to the security of mobile code.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html