Re: Are .NET Windows Applications Totally Insecure?
From: Michel Gallant \(MVP\) (neutron@istar.ca)
Date: 03/10/03
- Next message: Michel Gallant \(MVP\): "Re: PKCS#7 in .Net"
- Previous message: Nick: "PKCS#7 in .Net"
- In reply to: clintonG: "Re: Are .NET Windows Applications Totally Insecure?"
- Next in thread: Ryan M. Hurst [MS]: "Re: Are .NET Windows Applications Totally Insecure?"
- Reply: Ryan M. Hurst [MS]: "Re: Are .NET Windows Applications Totally Insecure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Michel Gallant \(MVP\)" <neutron@istar.ca> Date: Sun, 9 Mar 2003 20:18:07 -0500
You don't seem to understand that the end user has a stake
in trusting the Authentication? This is where trust in the issuing CA
and PKI is important.
I agreed with you that it IS possible to tamper with such signatures,
but then the signature is not the original one, issued by the original
CA.
- Mitch
"clintonG" <csgallagher@REMOVETHISTEXTmetromilwaukee.com> wrote in message
news:OcXFlQp5CHA.2308@TK2MSFTNGP11.phx.gbl...
> Semantic babble. What good is authentication if what is being
> authenticated is a lie?
>
> It seems to me that the associate was correct in concluding that
> .NET Windows applications are not and can not be made secure
> and would be a foolish venture for developers not backed by a team
> of lawyers and plenty of cash.
>
>
> --
> <%= clintonG
> NET csgallagher@REMOVETHISTEXTmetromilwaukee.com
> URL http://www.metromilwaukee.com/clintongallagher/
>
>
>
>
>
>
> "Michel Gallant (MVP)" <neutron@istar.ca> wrote in message
news:#KBTcdc5CHA.3248@TK2MSFTNGP11.phx.gbl...
> > First off, an item (whether it be a native exe, dll or .net assembly or java appetl)
> > is digitally signed to provide *authentication* and integrity verification for the
end
> > user.
> > It is not really about protecting the "digital asset ownership" of the application
> > itself.
> > You can probably do the same thing with a signed cab archive (i.e. extract the
contents,
> > and repackage and sign with your own certificate, claiming you are the owner ..
hence
> > constituting fraud!).
> >
> > It is up to the owner to ensure that they *trust* the digital certificate (and hence
the
> > CA issuer)
> > of any application they receive that is signed.
> >
> > So this is not an issue with .net at all. It is a lack of understanding of what
> > the purpose of a digital signature is all about!
> >
> > - Mitch
> >
> > "clintonG" <csgallagher@REMOVETHISTEXTmetromilwaukee.com> wrote in message
> > news:#E0fSwb5CHA.2400@TK2MSFTNGP11.phx.gbl...
> > > An associate claims windows applications developed with the
> > > .NET Framework are totally insecure with regard to maintaining
> > > digital asset ownership.
> > >
> > > His claim is based on an assertion that he can use ILDASM
> > > on a dll or an exe to expose the owner of the application,
> > > including the security certificate which can then be cut out and
> > > replaced with other credentials and re-assembled thereby
> > > making the application 'theirs.'
> > >
> > > How sound is his assertion?
> > > Comment on why or why not please.
> > >
> > >
> > > --
> > > <%= Clinton Gallagher
> > > A/E/C Consulting, Web Design, e-Commerce Software Development
> > > Wauwatosa, Milwaukee County, Wisconsin USA
> > > NET csgallagher@REMOVETHISTEXTmetromilwaukee.com
> > > URL http://www.metromilwaukee.com/clintongallagher/
> > >
> > > LaGarde StoreFront 5 Affiliate: e-Commerce Software Development
> > > SEE: http://www.storefront.net/default.asp?REFERER=-201499070
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
>
>
- Next message: Michel Gallant \(MVP\): "Re: PKCS#7 in .Net"
- Previous message: Nick: "PKCS#7 in .Net"
- In reply to: clintonG: "Re: Are .NET Windows Applications Totally Insecure?"
- Next in thread: Ryan M. Hurst [MS]: "Re: Are .NET Windows Applications Totally Insecure?"
- Reply: Ryan M. Hurst [MS]: "Re: Are .NET Windows Applications Totally Insecure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
