WebApp Sec mailing list archives
Re: Code Signing ???
From: Saqib Ali <docbook.xml () gmail com>
Date: Mon, 15 Aug 2005 08:14:59 -0700
Hello Devdas, I am not sure if you are in agreement with me or not ;-)
And we have had Verisign issuing a certificate to random people in the name of Microsoft[1]. Also, even the IT department cannot trust a random
Verisign has improved there process a lot. Do you examples of this happening recently?
binary, unless it comes over a trusted channel and from a trusted source.
This will require re-designing the internetwork, with each router controlled by a central authority, much like a telefon switching network.
It only proves that someone was willing to spend some money on getting a certificate in that name. Can you give a single good reason to trust a CA who you do not personally know? And a million other people trust them is not a good reason. A web of trust is far more useful than a simple tree.[2]
This is a seperate debate. And effects several other technologies aside from Code Signing.
And that is a large reduction in security. Remember, you cannot blame the vendor (EULA). So the code signing merely proves that the code did, in fact, come from that vendor. Which is of no use, since there is no compensation for bad code.
Again. Code Signing never claimed to accomplish this. Code Signing never certifies that a piece of code is "good" code.
If I can compromise the system, I can change the executable and delete the signature. Since the executable will work fine without the signature, it isn't really effective.
Well if you can compromise the system, you can do much mroe harm then just modify the binary. That is why I stated earlier that this is out of the scope of code signing. "It is like saying host based IDs or anti-virus are useless, becuase if you can compromise the system you can turn them off." -- In Peace, Saqib Ali http://www.xml-dev.com/blog/ Consensus is good, but informed dictatorship is better.
Current thread:
- Code Signing ??? Saqib Ali (Aug 14)
- Re: Code Signing ??? Devdas Bhagat (Aug 14)
- Re: Code Signing ??? Saqib Ali (Aug 15)
- Re: Code Signing ??? Saqib Ali (Sep 04)
- Re: Code Signing ??? Olaf Reitmaier Veracierta (Sep 05)
- Re: Code Signing ??? Saqib Ali (Sep 05)
- Re: Code Signing ??? Saqib Ali (Aug 15)
- Re: Code Signing ??? Devdas Bhagat (Aug 14)