Re: [Full-Disclosure] [Bogus] Microsoft AuthenticodeT webcam viewer plugin

From: George Capehart (capegeo_at_opengroup.org)
Date: 10/30/03

  • Next message: Bill Royds: "Re: [Full-Disclosure] Coding securely, was Linux (in)security" 
    To: nick@virus-l.demon.co.uk, full-disclosure@lists.netsys.com
Date: Wed, 29 Oct 2003 18:55:16 -0500

    On Wednesday 29 October 2003 08:04 am, Nick FitzGerald wrote:

    <snip>

    >
    > Authenticode is useless as a means of ensuring code is trustworthy
    > _independent_ of such an effort from the CAs. _All_ Authenticode
    > tells you is that someone was prepared to part with some cash and
    > they found a CA they convinced that they were who they said they
    > were.

    This is why the CA's Certification Practice Statement (CPS) is so
    important . . . and why, if one is going to accept a certificate, they
    *really* should read the CPS and understand exactly what process the CA
    went through to determine the authenticity of the DN. *Then* you
    should read the audit reports to see if the CA is really following the
    CPS. If that information is not available publicly available, he/she
    who accepts those certs deserves what he/she gets.

      In theory (at least if you trust the CA -- which I doubt few
    > possibly could in Verisign's case once it issued code-signing certs
    > under Microsoft's name to non-MS folk despite supposedly having extra
    > special checking mechanisms for such a large and obviously
    > "important" client),

    See above.

     an Authenticode "all clear" means that if you
    > were stupid enough to "trust" (in the big sense) a piece of signed
    > code the CA can help you locate the rat-bag who signed it should you
    > want to fry their balls...

    See above again. That is true IFF the RA did it's job.

    >
    > Anyone who ever thought Authenticode ever bought them more than that
    > was seriously delusional and obviously did not understand the basics
    > of code-signing as a "trust mechanism" (because it isn't one despite
    > what MS wants you to believe). This is all part of why Authenitcode
    > and ActiveX were always such fundamentally bad things and why the
    > decision to take this route showed MS lacked even the most basic
    > grasp of the fundamentals of security and trust. That Autheticode
    > has been "sold" (and worse, accepted by some) as anything else but a
    > poor-man's excuse for "nothing much" is somewhere between really sad
    > and criminal...
    >

    I think "nothing much" is being pretty generous . . . :->

    Cheers,

    /g 

    -- 
George Capehart
capegeo at opengroup dot org
PGP Key ID: 0x63F0F642 available on most public key servers
"It is always possible to agglutenate multiple separate problems into a
 single complex interdependent solution.  In most cases this is a bad
 idea."  -- RFC 1925
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Bill Royds: "Re: [Full-Disclosure] Coding securely, was Linux (in)security"
    • Quantcast