more on SFGate: VERISIGN/On the Record: Stratton Sclavos

[David Farber <dave () farber net>]

------ Forwarded Message
From: Ben Edelman <edelman () law harvard edu>
Date: Tue, 11 Jan 2005 16:46:54 -0500
To: <dave () farber net>
Subject: RE: [IP] more on SFGate: VERISIGN/On the Record: Stratton Sclavos

Dave --

Sclavos' spyware complaints are particularly puzzling because VeriSign
profits from the spyware problem, via Verisign's "code signing" digital
signatures for ActiveX controls.

Recall that, for a recent version of Internet Explorer to prompt a user to
accept an ActiveX auto-installer (via a "drive-by" popup shown as users
browse web pages in IE's Internet zone) [1], the ActiveX's CAB file (a
compressed installation bundle, like a ZIP) must be digitally signed. [2]
For fees of $400 and up, Verisign issues the digital certificates necessary
to sign such CABs. [3]

Verisign's customers then go on to use these certificates in exceptionally
misleading ways, including: 1) Attempting to install software as users view
unrelated sites.  2) Interspersing their software installation attempts with
JavaScript popups claiming "You must click yes to continue" and similar.  3)
Showing misleading product names that state or imply that their software is
necessary, when it is not.  4) Showing lengthy, incomplete, confusing or
misleading licenses, or no licenses at all.

VeriSign could stop or reduce these problems by refusing to issue digital
certificates to known bad actors, and/or by revoking certificates of those
revealed to be bad actors.  They would drive some of the bad guys' business
to other digital certificate firms (like Thawte), but they'd no longer be
suppliers to spyware providers.  That'd be a good first step in earning back
a bit of users' trust.


Ben

[1] see e.g. <http://www.benedelman.org/spyware/gator-driveby.png>,
<http://www.benedelman.org/spyware/images/odysseus-011105.png>,
<http://www.benedelman.org/spyware/images/nlite-011105.png>.

[2]
<http://msdn.microsoft.com/library/default.asp?url=/workshop/components/acti
vex/packaging.asp>

[3]
<http://www.verisign.com/products-services/security-services/code-signing/di
gital-ids-code-signing/index.html>



------ Forwarded Message
From: Carl Malamud <carl () media org>
Organization: Memory Palace Press
Date: Mon, 10 Jan 2005 11:27:04 -0800 (PST)
To: <dave () farber net>
Subject: Re: [IP] SFGate: VERISIGN/On the Record: Stratton Sclavos

Dave -

You kind of expect the CEO of a company to walk the walk.  You know ... the
CEO of Procter & Gamble probably really knows his toilet paper, the CEO of
General Motors probably has some clue as to what kind of car to get.

So, it was with some amazement I noticed this in the Sclavos interview:

>    Two weekends ago, my daughter said, "Dad, I opened up an e-mail I
> knew I shouldn't have opened up, and now my machine is slow." I ran
> one of the tools you can get online for free (and found) 937 instances
> of spyware or pop-ups or something like that. And my kids, you would
> think, are aware of this stuff.

937 instances of spyware?  He used a free tool you can get online (many of
which, as your readers all probably know, install yet more spyware on your
system)? And, perhaps most disturbing, the CEO of the "trust" company
demonstrates his command of the technical lingo with terms like "spyware or
pop-ups or something like that"?  Pretty scary.  :)

Carl


> ------ Forwarded Message
> From: "dave () farber net" <dave () farber net>
> Organization: SFGate, San Francisco, CA
> Date: Mon, 10 Jan 2005 08:08 -0800
> To: "dave () farber net" <dave () farber net>
> Subject: SFGate: VERISIGN/On the Record: Stratton Sclavos

------ End of Forwarded Message


-------------------------------------
You are subscribed as edelman () law harvard edu
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/


------ End of Forwarded Message


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/