Re: Windows Vista Security Inherently Indeterminate?

In article <1159877105.844452.260690@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, "BC" <callmebc@xxxxxxxxx> writes:

david20@xxxxxxxxxxxxxxxx wrote:
In article <4oetg1Fea96iU1@xxxxxxxxxxxxxx>, Sebastian Gottschalk <seppi@xxxxxxxxx> writes:
david20@xxxxxxxxxxxxxxxx wrote:

In article <4oeds5Fe7io6U1@xxxxxxxxxxxxxx>, Sebastian Gottschalk <seppi@xxxxxxxxx> writes:
BC wrote:

I'm sure there will be some clever reverse engineering to get some trusty
utility apps working again, but then clever hackers and virus writers
will probably be able to do likewise.

As I already mentioned, the evil guys can simply aquire a certificate from
VeriSign. Thank you, Microsoft, for choosing the most incompentent CA.

Come on this was over 5 years ago now

http://www.verisign.com/support/advisories/authenticodefraud.html

It was 5 years ago since the still ongoing series of such incidents
started.

Please post details of subsequent incidents where Verisign has signed
certificates for someone falsely claiming to be Microsoft.


Well, maybe not Microsoft, but there was this from
the latter part of 2002, and it doesn't exactly comfort:
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,73996,00.html


Rather a different issue. Microsoft's software had a rather big flaw.
But in essence it isn't that much different to the recently reported openssl
flaw

http://www.openssl.org/news/secadv_20060905.txt

which amongst other things affects lots of open source browsers

http://www.cdc.informatik.tu-darmstadt.de/securebrowser/

For once IE isn't affected.


David Webb
Security team leader
CCSS
Middlesex University


-BC

.

Relevant Pages

  • Re: what certificate to buy from Verisign ?
    ... \par Microsoft Online Support ... \par Subject: Re: what certificate to buy from Verisign? ... \par> secure communication channel between client/server, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Windows Vista Security Inherently Indeterminate?
    ... the evil guys can simply aquire a certificate from ... Thank you, Microsoft, for choosing the most incompentent CA. ... Please post details of subsequent incidents where Verisign has signed ...
    (comp.security.misc)
  • Re: Windows Vista Security Inherently Indeterminate?
    ... the evil guys can simply aquire a certificate from ... Thank you, Microsoft, for choosing the most incompentent CA. ... Please post details of subsequent incidents where Verisign has signed ...
    (comp.security.misc)
  • Re: IIS6 with SSL and Certs....slooow access
    ... The problem is not Microsoft CA (e.g. Verisign is supposed to use Microsoft ... Verisign you don't get this warning. ... Problem is in who's certificate your ...
    (microsoft.public.inetserver.iis.security)
  • simple question about certificate chains
    ... certificate with every value I want like putting microsoft in the ... company flag with this cert and the open one from VeriSign. ... certificate would be accepted by most browsers without any prompt, ...
    (alt.computer.security)