Slashdot Mirror
Don't Trust Code Signed by 'Microsoft Corporation'
omarius writes "From the Microsoft Security Bulletin: 'VeriSign, Inc., recently advised Microsoft that on January 30 and 31, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation".' See the bulletin for more information. Brings a whole new meaning to the concept of 'Windows Update.' ;)" Most users probably ignore the name on a certificate presented to them anyway, but even that minimal protection is worthless if certificate authorities don't perform their job.
I work for a very large company (larger than Microsoft). Last year, I applied for a Class 3 certificate so that we could sign some of our executables (product updates) and ActiveX controls. Verisign asked for names and phone numbers of managers and executives, and said that it would take up to three days to issue the certificate. I had it in less than 8 hours, and nobody on my list was contacted. It didn't leave me with a really warm and fuzzy feeling about the process.
My manager thinks that this whole deal with paying $400/year for a certificate is just a scam, and now I'm inclined to agree with him!
If the certificates were issued January 30 and 31, it has been nearly two months since the mistake was made. Was it only recently discovered? How long did it sit on somebody's desk at either Verisign, Microsoft, or both while those responsible wondered how best to do spin control or even whether to pass on the information at all?
A slightly better approach is OCSP (online cert status protocol), although that too has enough problems for at least two pages of writeup. The basic problem is that revocation doesn't work (once you've emitted a datum you can't retroactively take it back), which the credit card companies discovered about twenty years ago and which the X.509 designers may discover at some point in the future, although for now it's much more fun to fiddle with revocation protocols and mechanisms. Let's face it, as long as there are hordes of people willing to give you money for band-aids and pretend-fixes, why address the real problem?
No, the real point is that now, whenever you see 'Signed by Microsoft Corporation' on the bottom of your installer, you can't be sure anymore. That's why the 'Microsoft Corporation' is quoted in the story headline.
It may not be MS's fault in the slightest, but that doesn't stop their name from being all over it. And dammit, why does the parent to this post, a whining apologist, deserve Score:4?
- A.P.
--
* CmdrTaco is an idiot.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
In a perfect world, anyway...
- A.P.
--
* CmdrTaco is an idiot.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
When you get the "Always trust..." message, it applies to a particular certificate. These are new certificates, so you'll get the message again. The danger is in all the people that will see that the bogus certificate is from "Microsoft Corporation" and click "Accept".
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
The dates. Microsoft says that they received no legit certificates on the dates in question (Jan 29 and 30, 2001). If you check the date of the certificates and it says "Microsoft Corporation" on those dates, it's bogus.
And how many people are going to look at the dates?
If it's possible for MS to revoke those two, why can't the crackers revoke the real ones?
Microsoft didn't revoke them, Verisign did. The problem is that essentially nobody looks at the Revocation List.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
But there are a lot of people out there who aren't in their right mind whenever they sit in front of a computer. That's problem #1.
_____
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
This does bring up the question of trust in .net and specifically, application hosting. Any ASP of sufficient size will be the target of attacks, via dns denial, hacks into weakened machines, certificate hijacking and others. Microsoft itself experienced the first two, but, say with their dns servers knocked out or an expired domain, it wouldn't take very long for someone to start impersonating Microsoft.
"Hot lesbian witches! It's fucking genius!"
Just do like you have to do for every other problem with Windows.
fdisk and reinstall the OS.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
What was that someone said about security thru obscurity? No matter how good your code is, you're still vulnerable at the hardware level, and thru social engineering.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
I said it in 1978, when I was 11 years old, and my only computer experience was a TRS-80 my Science teacher brought into the class from his own funds.
"The only legitimate use for computers is games - everything else is a waste of time"
So, can you ever trust an automated software update again?
Sure, if you never use your computer for anything important ever again. Which pretty much relegates computers to only games.
Well, games and pr0n. Even my twisted 11-year old mind could not forsee the computer's role in the pr0n revolution.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Are these dates adjusted by time-zone?
IOW; if I'm in Fiji (opposite side of the international date line), and I check the cert at 12:00 noon GMT, could the UI tell me that the Jan 30, 2001 cert was actually dated Jan 31?
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Better yet, how in hell is Microsoft goint to implement this "patch"? They can't do it securely. How can I trust that this "patch" is really the real one now, and not one that will permantently etch a back door into my system?
Ladies and Gentlemen, the barn door is open, and the genie is molesting the horses.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
That's not necessarily true -- certificates have an expiry date. After the expiry date, the entry in the CRL can be deleted, because the certificate will be rejected anyways.
This certainly will be interesting...
There is no way ANYONE, even Microsoft, can prove that it has not happened. But it will only take one counterexample to prove that it has.
And the current appparent lack of a counterexample does not prove anything.
The danger is that the user will believe that the code really is from THE Microsoft.
Or MS could have noticed the problem when VeriSign first started issuing code-signing certs, complained to Verisign, and had them put the CDP into the certificates.
Either way, MS is much more at fault about this than VeriSign, since they made NO effort to check that their browser supported revocation of certificates for signed code.
As I said, VeriSign screwed up but corrected their mistake within two months. Microsoft has been so negligent that they CAN'T POSSIBLY correct their mistake for many years, because so few people will apply their patches.
The security needs to be built into the software at the outset, not patched on later.
Instead, they chose to ignore the possibility that the security might be flawed and allow revoked certificates to be used. They didn't give a damn whether someone got a fraudulent code-signing certificate for J. Random Software Company, and the browser couldn't tell that it had been revoked. They've only been prompted to take action when this unexpectedly happened using their own name.
VeriSign made an error and corrected it within two months. Microsoft made a bigger error and has taken five years (and counting) to fix it, then has the gall to blame it all on VeriSign.
I have to agree that this research is very interesting, but everything that I've seen and heard about that requires a formal model of software becomes too complicated to use when applied to anything beyond trivial programs. This may be useful for something like little web applets, but forget trying to do something like a payroll, word processor or language interpreter in it.
-"Zow"
Okay, there's plenty to be said about this article, but two things that stand out to me are:
And how many people will go to install this update and click "OK" to accept the certificate signed by "Microsoft Corporation"? I mean, they heard that there was some serious problem in Windows, so they better apply this patch right away and the signature on the patch says that it's from MS, so it must be okay, right?
And this will prevent how many commercial web sites from working? "I just did what Microsoft told me to to fix the problem and now I can't buy anything at Amazon - not even with 'One-click' shopping."
Normally, I wouldn't want to see Microsoft take legal action against anyone, but I really think they should ream Verisign a new one for this. Maybe Verisign should learn not to take their job so lightly then.
-"Zow"
We can not only have one company to handle Digital Signatures. The internet community should create a non profit company to help with this problem. I am assuming that Microsoft is not the only company that this has happened to.
So... why don't you? You're essentially saying that ``the compnay is nerds like you and me'' but really, how much of the company's personality comes from said nerds, and how much from obsessively competitive people like William Henry Gates III?
Time and time again, reading the testimony of ex-Microserfs, you see statements like ``we adopted the Microsoft culture'' which was...? Nerdism? Gentle altruism? Quiet pride? No, it was always obsession, competition, fear, elitism (FY-IFV badges), a cog-in-the-machine mentality.
You may fervently hope otherwise, but Microsoft is at heart an extension of Trey Gates, not a collective manifestation of geek culture with a few management problems. It has a track record, not ``had'' one. The mentality which gave it that criminal record is what drives Microsoft along. Separating Microsoft from their history is like unto separating the eggs from a well-cooked omelette. Remember the parable of the frog and the scorpion.
Much better to separate the nerds from the company, than the company from the nerds. That way, the nerds won't be so badly hurt when Microsoft bluescreens, which I suspect will happen with shocking speed.
Got time? Spend some of it coding or testing
You can get mod_ssl to send the user to a page that quietly uploads your self-signed cert into their browser anyway.
I think I should make up a CA called `Microsott Corporation' to self-sign these things with... (-:
The idea of an Open CA is a good one, but... how do we get M$ to include them in the list of trusted authorities within IE? A website with an audit trail of the emails/letters/transcripts from such an attempt would be interesting. (-:
Got time? Spend some of it coding or testing
I get a good laugh everytime I see that dialog box.
"Always trust content from Microsoft Corporation?"
*giggle*
-Waldo
Mod parent up please. It's a problem when a post with incorrect information gets "4 informative. It's worse when the reply correcting it is ignored.
-
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Does it still count as a GUI if there are big, ugly gaping holes in the features exposed ?
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
Yikes and we're mean't to trust them with some of our root domain servers?
Won't be long before they start accepting changes to domains that aren't even held on their servers and then propagate that out to the other servers, ignoring the duplications.
How long till this?
When shit hits the fan get some of these https://youtu.be/pY-GncsZ-UE
What's funny about the situation with washirv (the original poster) is that, OK, he's got a copy of the public key. But what good is that going to do him? Without the originally generated secret key, the server can't verify itself to incoming SSL connections.
The information he got from Verisign was almost useless, and his company will have to shell out another $500 for a new certificate (which as someone else pointed out isn't a bad idea anyway).
Here's the Verisign Certification Practice Statement - from what little I read the person who fraudulently claimed to represent Msft might be in some serious trouble.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
...and this stops others from misusing the fraudulently-obtained certificate... how
:) IF the FBI can track them down. From the looks of all the lawyers involved in Verisign they're not playing around - they'd probably welcome the opportunity to make a high profile example of some poor schmuck as a warning to everyone else who might want to try forging certificates. Just try forging and passing a few bits of paper money and see how seriously the Treasury dept takes it - it'll get one a long stint in the federal pen.
by putting them in jail
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Well M$ didn't screw up this one. However, this story is the clearest example of a future nightmare scenario. Imagine if such things happen under the promiscuity of the .NET overworld? No even this case might not be M$ screwing up everything. No, not directly.
However it is the WAY these things are set up. On how corp's deal with each other. On how systems and users are protected from everything except corporative interests. On how corp's try to gather everything into a weird electronic Mega-Bazaar. Do you think this is not so dangerous?
Note just how fast they reacted to this. It happened in January. If I'm not mstaken we are already a week before Mars ends. Can anyone be sure that these certificates were not used already?
Who will trust the trustees????
--
Microsoft and said authority didn't think of this, and so they now have to come up with a totally kludgey patch which they promise won't break anything else.
:-)
Half right. VeriSign *DID* think of this, and followed the documented standard protocol to revoke the certificate.
Microsoft has chosen not to implement a protocol to accept those revocations. That isn't VeriSign's fault, that's 100% grade-a Redmond stupidity, stemming from the facts that:
1) Their security people come from a Windows world.
2) More importantly, their marketing people write checks the programmers can't cash.
Don't blame VeriSign for this, it weakens your case on all the other things you might choose to blame them for.
-
That's all well and good - until I need to install a new system. If I've never run windows update before, and have never been asked to accept a microsoft certificate, how do i know the one i'm receiving is really from microsoft, and not a man-in-the-middle attack, or a dns-spoof?
--Cycon
Your Brain + EEG + LEGO Robots = Brainstorms
Actually, yes I trust Microsoft. To a limited degree, anyway. I decided years ago that if I was going to play in MS's sandbox, I'd play by their rules. It was just too fscking hard to install Unix-like utilities, editors, and what-not, just to have the whole house of cards come tumbling down because something expects filename case sensitivity or bare LFs or some other niggling little detail.
I went through a period of trying to do things "the right way" -- Backing up old versions of software before installing new, stuff like that. And you know, that didn't work either. Because unless you get all the crap they put in the Windows directory and the registry, you're screwed when you try to back out a change anyway.
So, when in Microsoft, do as Bill Gates does. I'll let programs crap all over the Windows directory and registry. I'll take everything offered by Windows Update. It's the MS way. It's stupid, it's insane, it's plainly the wrong way to design an OS, but you gotta play by the OS's rules or you'll go insane. (I'd have the same problems trying to apply MS or Mac conventions to the Unix world. It just don't work that way.)
So, yeah. I've trusted MS far enough to install their OS on my machine, I may as well trust 'em to give me an ActiveX component now and then.
But never, ever, ever install the Comet Cursor!
Chelloveck
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
OK, back that up with some actual facts . . . Still waiting . . . OK the fact is this has never happened or even been attempted (yet). Quit with all your over-dramatized, emotional statements, please.
-- Remember: Wherever you go, there you are!
There are lots of Class 1 certs (search under Option 2 for Microsoft) issued under the OU 'Microsoft' that are obviously invalid. Class 1 certs are only email-verified, so, it's certainly a caveat emptor world with Class 1s...
Anyone have any lead on the certs we should be avoiding? Are they on their CRL (even though codesigning wisely (cough) doesn't check the CRL)?
Returned Peace Corps IT Volunteer
They already did. It'll clean off ALL your dirty windows and replace them with a pure, blue screen (of death).
-- Michael Chermside
- You were suckered into thinking that Microsoft was not truly evil, possibly by an article on MSNBC or ZDNet. Take note: All your media are belong to Microsoft.
- You were suckered into thinking that Linux, open source, or free software is less than perfect in some way. See above.
- You were reading an article written by Jon Katz. I have to admit, this is strong evidence that
/. sucks. Happily, you can set your user profile to filter out such articles.
Therefore,This sounds like a serious fraud charge might be hanging over his head. I wonder if the FBI is on the case. And can they trust that the perp hasn't modified Carnivore using his MS Cert?
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
Let's see...
The FAQ on the Microsoft page claims this isn't a security vulnerability 1 because it was a third party's fault (namely, VeriSign).
Okay, Microsoft can rightfully claim they didn't directly fuck up...
...but, looking over their definition of "security vulnerability" makes me pause
- usurp privileges on the user's system (allow Microsoft to download and run new software and system patches)
- regulate its operation (I hate having to
reset to finish installations!)
- compromise data on it (Who replaced all these
.dlls on my drive?)
- assume ungranted trust.(Who said we ever trusted Microsoft...*cough* *cough*?)
isn't Windows Update a big old security flaw? (Assuming Microsoft is an "attacker" of user's systems.)Time to hit play and get back to work...
1.A security vulnerability is a flaw in a product that makes it infeasible - even when using the product properly - to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming ungranted trust.
George Lee
...is don't include references to Zero Wing in a post you'd like moderators to take seriously. (Of course, I assume this is why that post was modded down. Maybe they took offense to my excessive use of list tags.) ;)
George Lee
AFAIK, Win3.x isn't in widespread use as an Internet client, and the 32-bit executables that could carry these signatures wouldn't work so hot in a 16-bit environment. No, I don't know if adding Win32 qualifies Win3.x to get spoofed by this (but I doubt it), but that still wouldn't put Win3.x "in widespread use".
Likewise, an executable written for Win9x or later wouldn't be a good vector for harmful activity on a Mac or Linux, and it's a really long shot to come up with a malicious executable signed by MS but targetted at non-MS OS's. It could happen, but it won't.
I agree, but CRL has been around longer, and the various standards groups are still trying to work out how OCSP works - AFAIK there are only a couple of working implementations, and none of them are available "In the wild"....
But you're right - OCSP is great for instantaneous checking, and that's where we're heading, but they're (Microsoft, Netscape, Verisign et al.)not even crawling, let alone running along the revocation checking path right now...
McAlister
Ok...I hope this finally get's Microsoft and Verisign out of their complacent moods, and prompts them both to implement Certificate Revocation Lists capability that WORKS in all of thier offerings -
It is because they haven't bothered to do this yet that this is possible - think about it - if CRLs were implemented, and every application that used Certs checked the Revocation list of the issuing CA, this problem would have a trivial solution - Revoke the Cert, and this "fraudulent" issued cert becomes useless.
But since Microsoft, Netscape/AOL, and most other vendors of Certificate aware software haven't bothered until VERY recently to even think of the CRL, then this is now a rather large problem...
ame)
Anyways... I hope this causes them to go and actually implement RFC compliant CRL capabilities in all of their products - would make those of us who work with them VERY happy....
McAlister
No, Your analogy doesn't fit. I can revoke my pgp key, and I can change the locks on my door. They should have implemented this necessary feature before they needed it.
The only thing I'm thinking of... is that websites and active X controls (not apps) could cause problems?
I was looking on MicroSoft's website, and saw this:
Microsoft tested the following products to assess whether they are affected by this vulnerability. We will waive normal support guidelines to provide remediation for all operating systems that are still in widespread use, regardless of whether they are normally supported or not.
* Microsoft Windows 95
* Microsoft Windows 98
* Microsoft Windows Me
* Microsoft Windows NT 4.0
* Microsoft Windows 2000
Now, maybe I'm wrong here. But it seems to me that this problem affects other operating systems, not just windows. What about windows 3.11? While it is mostly phased out, it would affect anyone using it who happened apon a website that had these certificates on them. What about a linux or mac user? It certainly would also affect them if they came apon the website. Now, to my knowlden, MS doesn't make any linux software, so it doesn't do anything with ActiveX, but what about Macs? There are versions of Office for macs, wouldn't it affect them? Seems to me that someone was a bit cloud headed when they wrote this.
Actually its only accepts code also signed by the identical certificate as this is a different certificate but the same name it would not automatically accept it based on a previous acceptance of "Microsoft"
Don't Trust Code Signed by 'Microsoft Corporation'
heh. i haven't trusted Microsoft code in the last 4 years.
but thanks for the heads up.
--
--BlueLines "The cost of living hasn't affected it's popularity." -anonymous
I don't trust code from Microsoft when I am 100% sure it's theirs.
I'm a Microsoft user since the early 80's and any update is a crap shoot, that's what reinstalling the OS is for.
Does anyone remember DOS 3.0? DOS 4.0? NT 4.0 service pack 2? Just to name a couple that come to mind...
Despite my cynicism, I'm happy to use Microsoft products. I just understand and plan for the fact that at any time my system might go completely kablooey. Frequent code backups, burning anything useful onto CD ROM's and a bit of common sense have served me well.
You are in a maze of twisty little passages, all alike.
Following the instructions in the warning, I'll beware of stuff from ?Microsoft Corporation?, as opposed to "Microsoft Corporation".
Is this news?
--
--
E_NOSIG
It seems that VeriSign really dropped the ball here by first not properly verifying the submitter, then by not providing a way of getting a revokation out in the case they made a mistake. This is just poor planning overall.
Not that I'm surprised, they also own Network Solutions... birds of a feather.
This goes great with this article from a couple of days ago.
I used to think that the whole idea of paying a shitload of money to goons like Verisign was that you could trust the certificates issued by them. If they make mistakes like this, how can I trust them anymore? Furthermore, how can I trust the certificate any ecommerce site that uses their certificates?
This is a huge problem for all CA's if this is a precedent. I'm really curious to see what, if anything, Verisign will do about this.
Yes, one day I may actually learn to spell...
Sure, just install Service Pack 7, followed by Service Pack 3, Service Pack 6, then Service Pack 7 again. Now, delete everything in your Windows directory, and your "My Documents" directory, and the auto-restore will change your state so that it asks who to trust again.
This post is Verisign certified Microsoft content. Trust us, it will work. Really.
---
I couldn't agree more. Verisign has a monopoly on certs root keys, and they milk it for tons of money by making the keys expire every year. Really, advances in decryption do not occur so rapidly that this is implemented for the sake of security. A 5-yr cert might be appropriate, but 1-yr is ridiculous.
I hate to say it, but this case is a good indicator that Verisign is doing almost nothing for the money they charging. For issues of identity and authentication, I think the government is in a better position than a private corporation. I think the US govt. should step in and force verisign to hand over their root key and do the job for them - before Verisign hands out too many more bogus certs. And since Verisign truly has a monopoly on root keys that are integrated in 99% of browsers, the government would have legal authority to do this.
What is truly ironic in this case is that Microsoft is the one that gave Verisign this monopoly in the first place - and they go and screw the one corporation that really matters to them. Doesn't Microsoft already have their cert built into the browser anyway?? I guess they have to go to Verisign to get Navigator support.
-- Virtual Windows Project
 
CRLs are the nuclear waste of the PKI industry.
They never go away, they keep getting larger, and eventually, there will be no place to keep them :-)
Babies are cute because they have to be.
The problem with any encryption system, neigh any protection system at all, is the point at which they break.
They super heavy deadbolts on my front door are useless if I pass out they key. The electronic security system is just a bunch of lights and buzzers if I give out the passcode or everyone ignores it. The extra heavy combination lock is just dead weight if the hinges of the safe are on the outside of the door.
Public Key cryptography is only as strong as the security on the key. The article says that this doesn't fit the strict definition of a security vulnerability, presumably because it doesn't break the software. Well, I'd like to disagree. Part of the product, part of what M$ sells with the promotion of signed inActiveX controls, is that the pieces of code are trusted. This is not a piece of software they are selling, it's an entire system. The software is only part of it. The system has been broken. This makes it a security vulnerability in the same way that giving out keys to my front door and the combination to my safe are security vulnerabilities.
The gist of my rant, and the point I'm trying to convey, is that systems are more than just the software. To concentrate only on one part of the system when defining terms to describe the safety of the whole system is foolish.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Now I'll have to show up at their main office with my boss, and legal team.
Gee, one thinks they should have encoded the web site domain in the certificate so browsers could immediately reject a Microsoft certificate not from microsoft.com
It's a code-signing certificate. Not a certificate for a web site.
Even then, people have thought of this problem. That's why you revoke certificates. The only problem is that Microsoft doesn't check for revoked certificates. This has been brought up before, with no action on Microsoft's part... until now, when it's too late.
--- Where's my X.400 protocol decoder?
I dunno, but it seems to me that they have the bigger problem. We put our trust in VeriSign to properly identify people requesting certificates. That trust has been broken now.
---
The real question is, why is this story posted under Microsoft at all? Clearly Verisign made the mistake.
A few days back we had the whole thing about "why are these certificates so expensive".
Self evidently their procedures for checking are (or were) insufficent.
It's not a problem. The "always trust content from ...." is not on a name basis but on a certificate basis. These phoney (or any other) certificates won't automatically be accepted.
Yawn.
"Virtually every vital service- water supply, transportation, energy, banking and finance, telecommunications, public health -- all of these rely upon computers and fiber optic lines, switches and the routers that connect them. Corrupt those networks and you distrupt this nation."
What crap. This type of statement really pisses me off. "Oh God! The computers have failed! WE'RE ALL GONNA DIE!!!!!"
Your water utility or sewage treament plant on the net? I doubt it. Power plant controls accessable to a "malicious hacker"? I don't frickin think so. You'd have to rip out a lotta network before you trash every vital service in the country.
Come off it. Yes, they (might) have private networks. It would also be a damn sight easier to interrupt any one of them with plain a ol' "spanner in the works" (ie bomb,vandalism) than to try and and disrupt them via their computer net. One seems to forget that such places have something called "Manual Control". No doubt a pain-in-the-ass, have-to-have-persons-watching-all-the-time manual control, but still one none the less.
I doubt very much that any critical systems (that is , power/water/telcomms/banking) would be getting their updates from Microsoft Update either.
Such scaremongering makes me sick.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Guess the problem here is that it should have always been up to the end user as to which certificate signing authorities to trust, rather than for software manufacturers to decide for us. At least browsers are getting better, before if they saw a certificate that the browser didn't trust it would reject it outright.
But nowadays if a company becomes untrustworthy through malicious intent or just plain incompetence it's not possible for users to 'un-trust' a certificate authority trusted by the browser/software manufacturers.
There should be a higher degree of control at the end-user as to which CA's are trusted.
-- Greg
Slashdot, would a spell-checker for posting be too much to ask? It's not rocket science!
I was just wondering -- when one of those VeriSign things pop-up, you have an options to check "Always Trust Xyz Corp". If users have already done this - will this setting apply to ALL certs from Xyz Corp, or just Certs dated before the current date? I am wondering if that prompt is authorizing all certs from a company - or a subset ( by date or by class, etc)? Anyone know?
Tbe biggest security worry would be if the people who got the fake certs also had access to MS's internal net (either compromised MS employees, or a compromised net (again)), and were able to add their fake certs to the lists of trusted certs that MS was sending out with their software.
In other words, an area of high risk would be MS products that were manufactured between the issuance of the fake certs and the discovery of the fraud.
So here's a question (and both answers are frightening): Does Verisign have enough information that they can reconstruct the keys (including the private keys) that were signed by verisign?
If the answer is no, then Microsoft has no way to verify that their software hasn't been trojaned to accept the bad certs. If the answer is Yes, then Verisign has enough informaton to reconstruct anybody's private certs and (possibly) compromise any of our (supposedly) private communications -- should they chose to do so.
--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
If you find that you've accepted one of the bogus certs, then you may, in fact, need to do a clean and install of your system to expunge it. I would, however, strongly suggest that you contact CERT, Microsoft and/or your local/national police force (FBI, etc.) so that they can try and track where you got the cert from and what it's trying to do.
--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Tracy Lords is famous for doing almost all of her porn work (except for one video) when she was underage. The story goes that her producer got put up on child porn charges and used the defence that she had provided (fake) ID that said she was older.
The government responded that the producer should have looked closer at the ID, should have recognized it as fake, didn't do due dilligence.
The Producer responded by producing a legitimate passport obtained with the false ID. As I understand it, the charges were (mostly) dropped.
--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
"Microsoft -- a name that you shouldn't trust.".
--
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Stop thinking "cracker", "portal page", and "0wn j00", and start thinking "criminal", "financial institution", and... well, "0wn" is the right word, isn't it?
Nobody takes the kind of risk this guy took without a reasonable expectation of reward. The individual(s) who got the certs is probably not the group who ultimately intends to use them.
Actually, the first thing that went through my mind was "I'm glad NSA is gonna be all over this."
The number of users likely to click "yes" to the question "Always trust certificates from Microsoft Corporation" is staggeringly high. In the absence of a viable CRL (certificate revocation) capability in browsers, these certs, if (when?) they fall into the wrong hands, are dangerous weapons.
If the "wrong hands" are organized criminals, the stability of the banking system could be at risk. If the "wrong hands" are agents of another government, it could get even worse.
This issue that I see is not that there is a technology issue at stake here. PKI, and Trusted Third Parties are only 20% technology. The other 80% (IMHO) is Process, Policy, Procedure etc.
What happened is the process broke down. Someone was able to impersonate Microsoft, and Verisign fell for it. What do you think the chances are that if the Verisign dude who issued the certificates followed the Certificate Policies, and Ceritificate Practice Statements (CP / CPS) that Verisign has spent mucho $$$ on, this would have happened?
I think pretty slim. Had the process been followed, no matter how good the impersonator was, someone would have caught it. Here is an extract from Verisign's CPS:
"Validation of Class 3 certificate applications for organizations includes review by the applicable Class 3 IA of authorization records provided by the applicant or third-party business databases, and independent call-backs ("out-of-band" communications) to the organization"
Obvisously this didn't happen, and thus we have untrusted certs roaming around.
But Verisign (and the MS lawyers) would definitely want to know what a window cleaning company is planning to do with certificates.
Funny how this story would probably be rejected if 'Microsoft' didn't figure in it somewhere...
Don't get me wrong. I always put complete trust in Microsoft, and VeriSign for that matter. Always.
Sure I do.
No Laughing Allowed!
Don't trust certificates issued by VeriSign?
Then who will you trust?
With the amount of money verisign requires you to pay for their various types of certificates, you would think that they could take the proper steps to ensure that the application is valid? A phonecall to the posted number for the company perhaps?
Running a script to generate a key does not cost hundreds of dollars, we are paying for the extra for the cost of validation. I expect Verisign to DO that validating!
Fork 'em over to Microsoft.
If I recall, there was an issue about a month ago where DNS entries were falsified by a foreign ISP resulting in web traffic being redirected (presumably to their servers).
If Microsoft has been compromised as of Jan 30th, what's the probability that their software updates website has been spoofed? Even if it hasn't happened, its food for thought.
And, if this event has occurred, all MS users could be effectively fsck'd if those "critical" updates were trojan in nature (or worse). Imagine the implications if your PC were happily sending all your correspondence, stock trades and other financial transactions to a foreign power. Imagine if you are a DOD or gov't employee or contractor (Or a high ranking politician). The potential for cyber-terrorism from this incident is rather extreme.
Not that I'm an alarmist or anything....but when did the stock market start taking a dive?
RD
News of the latest Microsoft compromise should send shivers down all of our spines and makes us wonder if we are under cyberattack.
Some may argue that our PKI infrastructure is in need of review. Whether or not this is true, clearly we must consider whether the products we use can be considered safe. Microsoft is aggressively patching a hole in their Outlook product so that certificates can be checked against so-called "Certificate Revocation Lists". And, while many think CRLs are new, they are not. The specification for CRL's has been available since at least November, 1993. So, why has a critical feature of PKI infrastruction been overlooked?
The pattern of attack against Microsoft began last year. In an article "Microsoft Hack wasn't espionage" by Kevin Mitnick (Nov. 5, 2000), Kevin point out;
"Most newsworthy was the possibility that Microsoft's highly guarded source code was compromised and possibly misappropriated. The Wall Stree Journal reported that the hacker might have had access to Windows or Office 2000 source code...Only the hacker and, quite possibly, Microsoft know the real truth."
Today, on Security Focus, there's another article with the headline "White House: Hack attacks are new cold ware". The author, for those interested, is Kevin Poulsan.
In this article, it is stated that "Virtually every vital service- water supply, transportation, energy, banking and finance, telecommunications, public health -- all of these rely upon computers and fiber optic lines, switches and the routers that connect them. Corrupt those networks and you distrupt this nation.", Condoleezza Rice.
Our nation runs on computers. Many critical infrastructure systems can be compromised by the simple dismissal of a security warning about a "Microsoft Certificate". But, has anyone stopped to think that we may already been compromised?
Bind, that daemon that tells computers where to locate a resource, has been discovered to have flaws. Less than a month ago, there was a big concern that a well planned attack could take down the internet as we know it. If one recalls, there was an incident where an ISP on a South Pacific Island introducted false DNS data to redirect traffic to "their" servers.
If one of those servers was a spoofed "Microsoft Update" site and people casually dismissed that security warning that may have popped up on their screens (Hey, it's from Microsoft, right), millions may have download malicious code right into their operating systems, word processors, or whatever. Given the fact that the source code for Microsoft's OS and Word products may have been compromised in the fall of last year, it would give ample time to develop a functional trojan disguised as a security update or critical update.
Open Source developers aren't immune either. Occassionaly, some rogue hacker inserts malicious code into the linux kernel or utility source. If undetected, we may all be compiling in those changes and thereby compromising our systems as well.
Clearly, something needs to be done. Software that uses PKI must check CRLs for starters. Certificate vendors need to check identification a bit more closely. And, legislation must be enacted to reduce the liability to individuals whose digital certificates may have been compromised. Finally, the punishment for illegal use of a computer system and intentional computer virus, release should be punishable by severe mandatory sentences (20-25 years would be a start).
I have never been a strong advocate for cyberpolice. But, as the frequency of attacks and the damage estimates rise, it makes one wonder.
RD
Sorry, you are incorrect. About a year and a half ago, somebody made alterations to a common utility (I don't remember which...sorry...but maybe somebody else out there does remember). The code was posted in CVS and downloaded by thousands before it was caught.
Fortunately, it *WAS* caught and the situation rectified by removing the malicious code and reposting on CVS. But, *IT* did get out there. Whenever you have a lot of complex code and many fingers in the pie, this situation can and does occur.
So, before you condemn me for my opinions, jump off your high horse and get a grasp on reality.
The argument that there are more eyes on the code and somebody will catch it is not necesarrily true. If the code looks beneign or appears to work as expected, that code probably will not be inspected.
Open Source, while a wonderful thing, is not immune to sculdugery any more than proprietary code if vigilence is not maintained to keep the code pure.
What world are you in? I know of very very facilities where there isn't at least one computer connected to the internet in some fashion. Plus, it isn't necesarrily the internet from where the intrusion will occur.
While I was in the military, we had a virus problem. We installed AV software on all machines. Every disk was scanned prior to sending them to the shore based communication facility.
Yet, invariably, when the disks were returned to us and we prepared new messages, the virus was back. As it turned out, the virus was on a PC at the communications facility and they were spreading it unwittingly. The internet was only an academic oddity then...so where do you think the virus came from?
Major corporations use MS software. Vigilent administrators are always downloading the latest security or critical update to keep their systems in top form.
The fact that the identity theft was not made public for almost two months is a scary thing. This means that if the original MS intruder got the OS or Word source code in the fall, they had plenty of time to make malicious modification.
Couple this with the hiccups on the web lately (DNS and router problems at major ISPs), and there is the potential for some serious damage to have been done. Has it? I don't know.
Similarly, if somebody managed to get a modified service pack out there, it could easily spread before the dame is realized just by the sheer goodwill nature of many admins to help others.
Scaremongery? In some respects, yes. But, the fact remains that our systems are vulnerable and only due vigilence will slow the tide of hacker attacks. For this potential scare, I do blame MS as they have known their identity has been compromised and their software does not handle CRLs. I blame Verisign for nonchalantly issuing a certificate in Microsoft's name without proper identify verification. As a result, there is a window of opportunity for damage to occur.
That so called "spanner in the works" could be as simple as somebody unwittingly upgrading their systems will altered software or having played a game with an embedded trojan program during those dull moments.
The manual control you refer to only applies if people are cognizant that there is a problem. If the altered software makes all appear fine, then you've got a real problem. Don't you? Now, couple this with undermanned facilities during the late night shift...get the point now?
It happend ten years ago on a military installation. Why can't it happen in the civilian workplace?
I mean.. Verisign TRUSTED that the person was really from Microsoft...
What more do you want?
-- You can't idiot-proof anything, because they're always coming out with better idiots.
IIRC proof carrying code is typically a few times larger than the code by itself. This is fine for small things, (e.g. see the Necula/Lee paper "Safe kernel extensions without run time checking", where a simple 28 instruction packet filter takes 800 bytes to represent the proof+code) but if the code gets really large then the size overhead for the pcc could grow quite big.
Esp. since the code that a user would be installing from Microsoft typically incurrs about a 12x size/functionality overhead! (jk)
Also, as you say, there is a "world of difficulty" defining what can safely be executed, and what "safely" means. With a small set of instructions like for a packet filter, you can resolve it all without TOO much hassle, but code that does a lot more than just look at the bytes of an ip address is going to be HELLA harder to define what is safe. Also, most code these days links to libraries of other code. Are we going to verify all of those libraries also? lots of tough problems/extensive research left to work on.
They mention that a Java Virtual Machine could be used as the platform for the code, and that java bytecode would be what is verified. This might simplify things, but then again, the only code that could be transfered this way would be java bytecode, and there's still external libraries to deal with.
So no, we aren't there yet, but someday!
"What thou shalt not, I shalt did!" -Bart Simpson
Given Microsoft's unique position in the browser marketplace, why do they not run their own certificate servers and include themselves as one of the default certificate authorities ?
It's not as if they show much concern about breaking compatibility with other browsers (even earlier versions of their own) so what's going on ?
--- These are not words: wierd, genious, rediculous
I'll submit this as a story, in case /. wants to run it, but suspect they won't. But at least people who find this thread will also be able to get the fix.
Dollars.
But the engineer who had left could very well have taken a copy for himself; and use that for his advantage one day...
can you ever trust an automated software update again, even a "secure" one
Why limit the question to only cover automated updates? What about when you see a security bulletin or a new-version announcement and go to download the new version manually?
The shareholder is always right.
A while ago I checked a checkbox labelled "Always trust content from Microsoft Corporation". Is it possible to undo that?
The shareholder is always right.
Geez! For all youse who were saying that SSH should use some kind of public key authority, THIS is the argument against it. You can NEVER trust ANYONE, EVER! ESPECIALLY if money is involved. The only one you can trust is yourself. Security that relies on a third party isn't secure at all.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
No one in their right mind trusts MSFT anyway.
Ever read the warranty that comes with anything from Verisign? They won't even warrant that their certificates actually represent the individuals or organization that they claim they represent.
Don't Trust Content From "Microsoft Corporation"
(note the quotes), that would be one thing, but this is just misleading and bad journalism. Come on guys!http://www.naildrivin5.com/davec
Well, they did, and I apologize for my comments. I did just what I was accusing slashdot of. I am an idiot. What a waste of an 8th post......
http://www.naildrivin5.com/davec
- The lack of CRL support. This is largely MS's fault (no in there) and Verisign's fault (no CDP)
- The all or nothing trust model. This is seriously flawed; you do not get the option of letting a control have a 'little' access.
Both share a good bit of the blame. OTOH, it is more fun to just bash MS.Yes, I'm joking.
(From the NTBUGTRAQ) Despite the fact that its a Microsoft Certificate (for all intents and purposes it appears as such), it WILL NOT automatically be trusted by anyone's system. Even if you have previously stated that you want to trust all signed software from Microsoft, the fact that this one is a *different* Microsoft Certificate means you will still be prompted to trust it.
So it's still a big deal, but if you keep that little bit of knowledge in hand, you wont have to worry (to much)
----------------------------------
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
The answer: they can't do as good a job as government agencies can.
Governments make ideal CAs: they issue birth certificates, drivers licenses, passports and they are, or tend to be distributed. I.e., different govt agencies issue different ID docs and can verify each other's documents, usually by requiring people to submit multiple IDs from different sources -- the idea being that to fake your ID you must fake ID documents from multiple agencies, a task that is, hopefully difficult.
Ultimately you can only approach 100% certainty of a person's ID, and the best way to do it is by requiring and reviewing multiple claims of ID from different sources. A birth certificate can be validated by contacting the issuing authority. A driver's license can be validated by checking the picture on it and then checking the license's validity with the license's issuer. Hopefully the issuers are well-known and hopefully the communications with them are somewhat secure (circularity rears its head). And so on.
In fact, DMVs (Dept. of Motor Vehicles) in the States (ok, New York's at least) have ID point systems whereby they assign different point totals to different kinds of IDs and require that you submit enough IDs to add up to a minimum ID point total in order to establish your ID to them. I think the U.S. Post Office does the same sort of thing for passport applications.
So, IMHO, government agencies would make very good CAs. At least they should sell ID verification services to third party CAs (in a way they already do: notarys public can attest to an individual's ID and the notarys can be verified with the state and can be contacted by the CAs to verify their IDs).
Of course, it would be nice if there were a smartcard standard that all citizens (of a country or of any country) could use and to which their governments could download certificates....
But hey, even then, certificates can be stolen; passwords can be stolen; fingers can be cut off; people can be coerced into providing their biometrics ("stand in front of that retina scanner and act normal"); OS security can be broken and CA public keys modified/added.
Oh well...
In fact, the point is worse than that, you can't trust anything that has a verisign certificate, as it is clearly far too easy to get a fake certificate.
~~~~~ BigLig2? You mean there's another one of me?
--
DNSSEC
DNSSEC is a project to have a central company, Network Solutions, sign all the .com DNS records. Here's the idea, proposed in 1993:
Even if DNSSEC is someday put into place, it will continue to allow attacks through Network Solutions itself. What happens if a Network Solutions employee is bribed? Are the Network Solutions computers secure? An attacker who breaks into one critical Network Solutions computer will have control over the entire Internet.
Or Network Solutions, now VeriSign, could simply be incompetent.
Edith Keeler Must Die
They'd obviously use it to clean Windows [tm].
--
Ner lbh sebz gur HFN? Gura lbh'ir whfg ivbyngrq gur QZPN!
The way I understand it, trademarks only apply in the same industry. I heard somewhere that there is a toilet bowl cleaner or something like that called Linux, and it's totally legal because they are different industries. That's why the original poster talked about making a window cleaning company. Although Microsoft could afford lawyers good enough to use the intent to deceive idea.
Well honestly, most of us question ANY of those security warnings popping up about such and such a signature, but most of us just blindly accept microsoft-certified ones. If people are already stupid enough to click on email attachments after the 15 millionths vb virus, what havoc might this wreak?
So does Microsoft seriously believe that the public, the same audience to which Microsoft caters as the "lowest common denominator" when developing such novelties as the talking paperclip, will suddenly divine an understanding of public key cryptography and the meaning behind these certificates? I think this might be the death knell for Microsoft as far as the ideas of "trust" and "security" are concerned.
Good riddance.
No, but I would expect my bank to have the capability to cancel a stolen credit card, by having the ability to check against a list of cancelled cards.
The problem with IE is that it has no method of doing such a check on a Verisign certificate. Oh geez, IE isn't compatible with the #1 CA. Obviously, entirely the CA's fault.
OK, it was human error on Verisign's part. However, it was caught by their internal people. It should be a dead story by now. That it isn't is largely MS's fault.
Sure, if your name is "confusingly similar" to Microsoft's, then they could probably bust you for trademark infringement. VeriSign could deny you a certificate for whatever reason they like, I suppose, but this would be a legitimate one.
The proof is generally generated by the compiler. We can really do this now -- the problem is making the proofs smaller (often they are large than the program) and enhancing the expressiveness of the safety policy language. (right now, usually we just get type safety).
Yeah, maybe. Research is currently being done on how to do this without the idea of a trusted party. The general idea is that the code comes with a proof of its safety (or a proof that it meets some other specification), which is "easily" verified by a small piece of software on your computer. It's not a panacea (there is a world of difficulty in specifying the right policies), but it could certainly stop updates of application-level (or especially applet-level) software from containing naughtiness.
Check out http://www.cs.cmu.edu/~petel/papers/pcc/pcc.html for more info on Proof Carrying Code.
The real question is will Microsoft patch it by including proper certificate revokation lists, or will they just patch it by disallowing those two certificates.
I used up all my sick days, so I'm calling in dead.
But there are like 20/30 CA's in my browsers list, some of them with very obscure names. Will they all refuse it?
--
--
If code was hard to write, it should be hard to read
What if i would own (I don't by the way ;-) the domain www.microsoff.nl. I register my company 'Microsoff' here in the netherlands, and claim I do window-cleaning (as long as the type of commerce you do is different, you can register a name here).
It should be possible for me to get a Verisign certificate for 'the Microsoff corporation'. Most users won't notice this, so I can trick people into running my code.
Is there anything that can be done against this? Has Microsoft trademarked all 'Microsoft'-alike names? Can Verisign refuse to give out a certificate?
--
--
If code was hard to write, it should be hard to read
Hasn't anyone heard of a certificate revocation list?
This is a Microsoft story. It's both a commentary on VeriSign's sad security, and a warning to those who have trusted Microsoft's certificates in the past to be aware of the fact that they may be bogus.
Don't Trust Code Signed by 'Microsoft Corporation'
I've had that one covered for the last 18-24 months or so...
--
Ok, this may be a bit off topic but I do agree with you this latest blunder is more a Verisign problem than a Microsoft problem. I mean who screwed up here??
You would think with Microsoft getting ready to be axed by the Justice Department would smarten up their tactics some and try to be more reasonable in their pricing and licensing but no they are going the opposite extreme. As if "per processor" licensing and CALs weren't bad enough now they will be trying to use a system or registration to "enable" your software you purchase from them. Kind of like Quickbooks does now with their accounting software. The justice department should force them to Open Source.
Nathaniel P. Wilkerson
Domain Names for $13
Nathaniel P. Wilkerson
www.haidacarver.com
can you handle the truth?
--
Je t'aime Stéphanie
This is all fine and dandy, assuming that you can personally be sure that all of the physical and transport layer connections between you and that host name, as well as the system which resolved the hostname are completely secure and trusted. Otherwise someone could see that you are downloading packets from host X and poof as host X, sending you packets that you now trust based on the host name only. After all, Microsoft has forgotten to renew a domain once before, who's to say they won't do it again? Only this time it might not be a white hat that fixes the problem.
And the bastards charge money for this service.
Verisign gave out the wrong certificates. If browsers now already have stored these certificates as 'safe', users should remove them, but it's VERISIGN's fault. They should have been more careful when they gave out the certificates. the person who now got the certificates could also have used 'Sun' or 'Red Hat' or any other company. Would that company then be 'the faulty'? NO.
--
Never underestimate the relief of true separation of Religion and State.
I infinity bad Japanese translation you!!!
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
This is a security story. The lock logo would have been more appropriate. Oh, wait... every time MS is mentioned on /. you get a spike in ad revenue. Carry on.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
I am desperately making my way through the Verisign website, but I cannot find the CRLs. Where are they?
Thanks for the help,
Andreas Buschka
Ok, so I suppose that now all of you are going to try to convince each other that you trusted Verisign in the first place, da? Like, you know, the same Verisign that owns NSI. Right. I'll go for that.
Now what could happen is that people could just accept the certificates and then SUE verisign for not providing what they were supposed to... could that be possible?
As several others have posted, the trust is granted on a per-certificate basis. You're trusting code signed with that certificate. Mind you, that doesn't prevent people automatically agreeing again when they see the Microsoft name on the certificate...
Well, yes, you would expect them to make that distinction, would you not? :-)
As I post this, neither Verisign nor MS mentions this on their front page. Do they want to wait until the next cracker to deface the front page of Altavista or Yahoo adds an ActiveX virus and wipes out (quite easily) ten million machines?
I find it very fascinating that MS doesn't mention anything about the hazards of running code from an unknown author.
I would also hope that Verisign is taking a very serious look at their procedures - if CAs don't verify identities before issuing certificates, what good are they?
For that matter, how were individuals - MS employees or not - given keys in the company's name? There's no need for an individual employee to have those - especially before calling to check with executives within the company.
ActiveX...just say NO!
--Mythos
Well, are they the ones who thought it was smart to have the "Do you trust this company?" screen emphasize the name of the company?
Law is whatever is boldly asserted and plausibly maintained. -- Aaron Burr
I guess it's all a leap of faith ..
Who should read this bulletin: All customers using Microsoft® products.
/technet/security/bulletin/MS01-017.asp
I'm sure all Microsoft customers will know to navigate to
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
If they can't get somthing so simple as this, can you imagin the holes that will be found in the Windows XP registration system?
hmm... for fun I enjoy launching DDoS attacks against 127.87.42.5
"Don't trust code written by Microsoft"
From the msnbc article: 'The software giant is warning users to be suspicious of any program that arrives with a certificate claiming Microsoft's authority.' uhh i do that anyway.
---
Guys, Microsoft is not nearly as evil as you think it is. Yes, they had a track history, and yes clearly Bill Gates is a dick, but there are a lot of cool OS and game programmers, and hardware specialists that put out some wicked shit. You have to separate the company from the nerds like you and me.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Well, you choose the one signed by Microsoft, of course.
I am a bad speler. Please ignore speling meestakes in me poast.
Hmmm... Verisign and Microsoft... now there's a team that just reaks of reliability!
Surprised? - Not really
Worried? - No more than yesterday
Still accepting certs without EVER reading them? - You Bet Your Sweet Ass!!!
It's not just an OS, It's an adventure!
I am become Troll, destroyer of threads
Microsoft tested the following products to assess whether they are affected by this vulnerability. We will waive normal support guidelines to provide remediation for all operating systems that are still in widespread use, regardless of whether they are normally supported or not.
Although the usual disclaimers apply, they obviously to not want this to get very far.
"It is a greater offense to steal men's labor, than their clothes"
Do you really expect the average Slashdot reader to trust ANYTHING signed by Microsoft?
They make me send them multiple faxes and wait two weeks when I forgot my domain password, but some guy says he's from MS and that's good enough for them?
-- dR.fuZZo
I read that MS is going to release a patch for this problem, that basically turns on the certificate revocation checking in IE. However, they say it'll take a week to get ready. Obviously they are doing some other stuff in there if it's going to take a week. That flag is only a simple registry setting. What they could be doing, I don't know.
Just wondering, would they do this if somebody else's certificate got stolen, or would they make it easy for another 3rd-party to accomplish whatever they are going to put in this patch? Is this strictly a priviledge of owning the OS and the browser?
Good thing I have neither the time nor the skills nor the inclination. But I bet someone does...
sulli
RTFJ.
VeriSign has revoked the certificates, and they are listed in VeriSign's current Certificate Revocation List (CRL). However, because VeriSign's code-signing certificates do not specify a CRL Distribution Point (CDP), it is not possible for any browser's CRL-checking mechanism to download the VeriSign CRL and use it. Microsoft is developing an update that rectifies this problem. The update package includes a CRL containing the two certificates, and an installable revocation handler that consults the CRL on the local machine, rather than attempting to use the CDP mechanism.
Translation: This cert is bad, but the authority issuing it can't tell you this, even though the authority claims to be responsible for doing so. Microsoft and said authority didn't think of this, and so they now have to come up with a totally kludgey patch which they promise won't break anything else.
This is so fucking confusing even to someone who is fairly technical - can you imagine Joe User's reaction to this? Makes code signing pretty much useless.
sulli
RTFJ.
The sad thing is that people who ticked the little box which said
"Trust all programs from microsoft" when they first downloaded something from Microsoft.
Most people don't read and have never read a single security advisory from Microsoft
. This is going to really bad for lots of innocent people.
I wonder what has happened to their stock price.
True indeed. All big corporations are bound to make some ethical questionable things from time to time. Microsoft is not unique in this regard - not at all.
It's usually not hard to figure out if you're getting a MS product online.
The files tend to come from domains like, oh, say, microsoft.com or mechwarrior4.com...
But what about when you're on AOL and you get, whoops, excuse me, WHAT ABOUT WHEN YOU'RE ON AOL AND YOU GET AN EMAIL FROM BILLG@MICROSOFT.COM AND IT HAS A VERI-SIGNED WINDOWS UPDATE?
THAT'S OK TO INSTALL RIGHT?
ME TOO!
"And like that
We trusted MS Before?! Did i blink and miss something?
I betcha it was the NSA who did this, trying to put their backdoor on Windows systems!!
--The space between my ears was intentionally left blank--
This certainly adds a new dimension to recent /. discussions about what, exactly, you get when you pay for an expensive certificate!!
-------------------------
-------------------------
A person of moderate zeal
What if the hacker(s) releases a patch before MS releases one?
I love the smell of Karma in the morning
...but doesn't almost everyone on Slashdot not trust code signed by 'Microsfot Corporation' already??? ;-)
The opinons expressed are those of the voices in the author's head and are not necessarily those of the author.
If you went through the trouble of setting up a webpage of that name AND managed to incorporate (requried if you want Coporation in your name) AND managed to pass all the Verisign security checks, you would leave a paper trail 10 miles (16 km) long! Surfice it to say that misuse of your certificate would land you in trouble faster than you could say 'lawyer'.
Javascript + Nintendo DSi = DSiCade
Quoting again your quote:
Read it again. The problem seems to be Verisign NOT specifying the CDP in their certificates. If the CDP is not even there, whether or not MS has CRL checking is irrelevant in this case (it can't be used anyway).
Also, check this link at MS (Certificate Revocation List Checking): http://www.microsoft.com/windows2000/library/plann ing/security/ipsecsteps.asp.
It seems that CRL checking is supported, although disabled by default. There are also options in IE|Options|Advanced|Security with two options for checking revocation lists.
¦ ©® ±
You're blaming Microsoft, but Microsoft is not the only company using Verisign certs. What about others that have failed to notify Verisign of its design flaw? In any case, Verisign, being an "expert" in this field, shouldn't have come up with this design flaw in the first place.
¦ ©® ±
That may sound like a bold statement, but if you think about it for a moment, can you ever trust an automated software update again, even a "secure" one?
OK,
- B
--
http://www.bradheintz.com/
- updated
IT already has QUOTES! HERE IS A QUOTE FOR YOU, STUPIO MAN: "I am a stupid slashdot poster. I'm also a programmar!"
I hate you!
Mod everyone down! EVERYONE!
I know it's Verisign's fault, but it really doesn't make the consumer side of .NET sound very trustworthy. I understand they're going to be using Kerebos for the Hailstorm identity back-end, but clearly there's plenty of room for Microsoft to botch. They're well positioned (and well funded) to actually go head with it, but the question is how much will people trust Microsoft? Even paired up with AmEx?
-- "Sucks to your ass-mar"
That is, are we talking about a real threat or a potential threat?
The person who got the key could hold it close to their chest or publish it on every cracker page going!
Of course, this is probably not too good for Verisign, as they now look like dumbasses, and have probably pissed off MS to boot.
As opposed to previously having looked like dumbasses and pissed of thousands of people who are trying to register expired domain names or get their DNS info in the root servers changed?
It's just more of the same incompetence if you ask me.
It's FUD for the PHBs to make them want .NET
This would be a non-issue if CRLs or something better could realtime authentication of certs.
Security is about risk control, it is not risk elimination. Authenticode was designed to make downloading software over the net possible by giving a certain degree of assurance that it came from a specific source.
Sure the authentication proceedure could be toughened up, requiring people to fly out to California to apply in person, present their passports etc. But does anyone believe that if that had been the requirement people would have used authenticode at all?
One of the rationales given for not insisting on stronger authentication proceedures in the SSL space was that if you set a bar that can filter out 99% of the attackers you can then go after the remaining 1% with lawyers and handcuffs. In this case the culprits will have a target painted on their forehead if they try to use the certificates.
So what can the attacker do with their certificates?
They certainly can't boast about their involvement since they have committed fraud. The FBI are reportedly investigating already.
The only thing that an authenticode certificate is good for is to sign code. They could sign a piece of malicious code. But how would they distribute it? They would have to make sure that the Web site the code was distributed through could not be traced back to them.
Even if they did sign malicious code the code itself would be signed with the known 'fraudulent key'. They might catch some people out initially, but the first person to check the cert would raise the alarm.
The problem would go away if the Authenticode verifier did a CRL check or OCSP verification. Until now there has been resistance to checking of CRLs as 'too complex', the technology certainly exists however, VeriSign issues a CRL and VeriSign was the original inventor of OCSP. Hopefully what people will take out of this is that CRLs and OCSP are needed.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
... my ass Verisign is a "trusted authority."
What steps can be taken to prevent this in the future? This is potentially a very dangerous precedent. Should Verisign be held accountable for any resulting damages that result from people being duped by this certificate?
Now thats an interesting question. Can we trust their certs from now on? I'll always be second guessing them now. (sigh)
They may add a security_patch, but what will they do to prevent something like this happening again? What extra steps will they take? Increase the prices of the certificates? People can use money as a tool to hack also... Just wave yer money at em... That usually works :)
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
MS have a breach, source code perhaps involved
Class 3 Certificates issued to bogus MS
Big DoS & DNS chaos
Agent revealed & 51 sent back to Russia
Who knows what damage done?
My next sig will be ready soon, but subscribers can beat the rush
Why doesn't Verisign change its name to SelfSign to reflect their new policy for customers. "Pick your company - we provide the brand identity and certificates!"
This hack is by an alien. Near Verisign's headquarters, about 20 UFO sighting have been seen everyday for the last month. Are they trying to tell us something? Are they trying to control us via manipulation of Microsoft? Are they introducing subliminal messaging to DirectX(tm)?
Only Kibo can save us.
Versign has such a statement, which itemizes what they (in theory) do before issuing a cert.
-jbn
It's usually not hard to figure out if you're getting a MS product online.
The files tend to come from domains like, oh, say, microsoft.com or mechwarrior4.com...
Now, of course, if you are trying to download 'http://ftp.goatse.cx/hotgaypr0n.exe' and it's signed by MS you a) have other problems and b) deserve whatever you get if you accept the file.
Of course, this is probably not too good for Verisign, as they now look like dumbasses, and have probably pissed off MS to boot.
Brant
Brant
Argle. Bargle.
http://www.verisign.com/repository/CPS/CPSCH2.HTM# _toc361806948
http://www.verisign.com/products/asb/faq.html
Especially interseting is the Assurance level that comes with this cert.
Even if these certiciates are never used, there will be some pretty heavy US govt. involvement as a result of this.
Anyone know if this has happened with any companies less visible than MS? A quick search did not turn anything up, but if Versign's procedures could let something like this slip through...
...but doesn't almost everyone on Slashdot not trust code signed by 'Microsfot Corporation' already??? ;-) Score 2, Funny
that most of us would otherwise trust code signed my Micro$haft. Score 0, Offtopic.
...And mine was first. Whatever.
"The problem with internet quotations is that many are not genuine" -Abraham Lincoln
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Although I'm not addressing this issue directly, I don't think you thought it through to it's conclusion. If you were distributing damaging code as a signed executable to fool people, once it was realized, all the people who'd want to sue you for damage to their computers would know exactly who you are from your information at Verisign! -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use Comment: Daybo Logic - www.daybologic.com iQA/AwUBOrqIxSFu/tNNkyL0EQKiAwCdGtGU6iGipc0Tje7PxI H2SPu1b/4AoNPr
mfrni6VS3IiEZ1nPOjxQpz41
=7PkC
-----END PGP SIGNATURE-----
In other words, if a Windoze user has already said "yes" to "always accept software from Microsoft" then... yikes!
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
This could have happened to anyone, any company, including GNU-based organizations that use SSL certificates to authenticate themselves. (like lots of people do with Certificates and vulnerability advisories?) Or maybe when you go to http://www.rehdat.com/ and purchase the new release =)
Microsoft is one of the only companies that ever really bothers to sign their software modules anyway, so this kind of makes it glaringly obvious that the whole concept is broken. Most other companies don't bother to sign, and then they provide help on how to click past the Windows 'this driver is not signed' warnings.
-Keslin, the naked nerd girl
-Keslin, the naked nerd girl
1. Oracle's Larry Ellison, who likes to imperiously "buzz" the poor citizens of San Jose in his Private Jet.
2. AOL-Time Warner, which wants to control both the content and how you can give it "buzz" (see the recent Slashot thread on "IM").
3. Not to mention IBM, which in its bad old days of the 70's and 80's could actually get Mainframe SysAdmins who did not "THINK" the IBM way fired and blackballed!
Microsoft is not all good. It's not all bad either. Microsoft is just another Corporation playing the rough "Corporate Game". They are only the most successful, currently.
Working for Microsoft is a choice. You don't have to do it. There are (still) lots of other jobs around. If you are waiting for options to vest and think they are going to be worth something, you should be able to laugh all the way to the bank and put up with the complaints.
You can argue whether the stuff that Microsoft produces deserves the commercial success it has. But in terms of technology, Microsoft is about as "cool" as a MacDonald's Happy Meal. Microsoft produces software for the masses, using mostly technology that was roughly state of the art in 1980. Oh, but I will agree: they are getting pretty cool when it comes to graphic design.
Sure they are: the company E-mail and Gates's testimony that have come out have confirmed people's worst suspicions. Microsoft is a big company with but one goal: profit by any means that are even marginally legal. The fact that there are lots of other companies that are just as bad doesn't excuse Microsoft.
Maybe an established insurance company that both issues certificates and insures companies against abuses of certificates has a sufficient incentive to act more prudently.
...if Verisign bears any liabillity for this. If people start doing this very much, it will undermine confidence in Verisign. I wonder how they are dealing with it.
From the ActiveX download warnings. I mean, that's what could realy F$ck you up...
Aproximately 1/3rd of the IE/AOL users have probably already decided that "Yaaa, stuff from Microsoft should be alright.." and checked the box. Now anything from "Microsoft Corperation" gets installed sight unseen (inovation in action).
Bam.
say goodbye to your HD.
The primary rule of security is never to have a single point of failure. If you allow any VeriSign-signed certificate to wreak havoc over your computer, that's a single point of failure. No form of security is 100% secure (except gelding, but let's not go there). But if you have 5 levels of security, each with a 1% chance of failure, you end up with a 99.99999999% chance of stopping the intrusion (for the mathematically inclined: [1-(0.01)^5]*100% = 99.99999999%; and yes, I naively assumed that failures at each stage would be independent). So requiring V$-accepted certificates, checking the name of the company that issued the cert, verifying the URL, not running random .EXE files, and using a virus checker gets you a long way towards having a system that won't be compromised by a failure like the one reported today.
The problem is that most of these security methods require a certain amount of expertise and paranoia on the part of the user. Although both are easy to develop when the network you maintain's been cracked once or twice, this sort of thinking isn't something that I would expect or even wish of my Mom (not to disparage moms in general - I know several who know more about security than I ever will) or other loved ones. So the real issue is, can we develop multiple, independent levels of security that don't require expertise or paranoia on the part of the user?
On stereophonic equipment, the monaural sound obtained through multiple channels will enhance your listening pleasure.