Interesting People mailing list archives
more on SFGate: VERISIGN/On the Record: Stratton Sclavos
From: David Farber <dave () farber net>
Date: Tue, 11 Jan 2005 17:30:35 -0500
------ Forwarded Message From: Ben Edelman <edelman () law harvard edu> Date: Tue, 11 Jan 2005 16:46:54 -0500 To: <dave () farber net> Subject: RE: [IP] more on SFGate: VERISIGN/On the Record: Stratton Sclavos Dave -- Sclavos' spyware complaints are particularly puzzling because VeriSign profits from the spyware problem, via Verisign's "code signing" digital signatures for ActiveX controls. Recall that, for a recent version of Internet Explorer to prompt a user to accept an ActiveX auto-installer (via a "drive-by" popup shown as users browse web pages in IE's Internet zone) [1], the ActiveX's CAB file (a compressed installation bundle, like a ZIP) must be digitally signed. [2] For fees of $400 and up, Verisign issues the digital certificates necessary to sign such CABs. [3] Verisign's customers then go on to use these certificates in exceptionally misleading ways, including: 1) Attempting to install software as users view unrelated sites. 2) Interspersing their software installation attempts with JavaScript popups claiming "You must click yes to continue" and similar. 3) Showing misleading product names that state or imply that their software is necessary, when it is not. 4) Showing lengthy, incomplete, confusing or misleading licenses, or no licenses at all. VeriSign could stop or reduce these problems by refusing to issue digital certificates to known bad actors, and/or by revoking certificates of those revealed to be bad actors. They would drive some of the bad guys' business to other digital certificate firms (like Thawte), but they'd no longer be suppliers to spyware providers. That'd be a good first step in earning back a bit of users' trust. Ben [1] see e.g. <http://www.benedelman.org/spyware/gator-driveby.png>, <http://www.benedelman.org/spyware/images/odysseus-011105.png>, <http://www.benedelman.org/spyware/images/nlite-011105.png>. [2] <http://msdn.microsoft.com/library/default.asp?url=/workshop/components/acti vex/packaging.asp> [3] <http://www.verisign.com/products-services/security-services/code-signing/di gital-ids-code-signing/index.html> ------ Forwarded Message From: Carl Malamud <carl () media org> Organization: Memory Palace Press Date: Mon, 10 Jan 2005 11:27:04 -0800 (PST) To: <dave () farber net> Subject: Re: [IP] SFGate: VERISIGN/On the Record: Stratton Sclavos Dave - You kind of expect the CEO of a company to walk the walk. You know ... the CEO of Procter & Gamble probably really knows his toilet paper, the CEO of General Motors probably has some clue as to what kind of car to get. So, it was with some amazement I noticed this in the Sclavos interview:
Two weekends ago, my daughter said, "Dad, I opened up an e-mail I knew I shouldn't have opened up, and now my machine is slow." I ran one of the tools you can get online for free (and found) 937 instances of spyware or pop-ups or something like that. And my kids, you would think, are aware of this stuff.
937 instances of spyware? He used a free tool you can get online (many of which, as your readers all probably know, install yet more spyware on your system)? And, perhaps most disturbing, the CEO of the "trust" company demonstrates his command of the technical lingo with terms like "spyware or pop-ups or something like that"? Pretty scary. :) Carl
------ Forwarded Message From: "dave () farber net" <dave () farber net> Organization: SFGate, San Francisco, CA Date: Mon, 10 Jan 2005 08:08 -0800 To: "dave () farber net" <dave () farber net> Subject: SFGate: VERISIGN/On the Record: Stratton Sclavos
------ End of Forwarded Message ------------------------------------- You are subscribed as edelman () law harvard edu To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on SFGate: VERISIGN/On the Record: Stratton Sclavos David Farber (Jan 11)