How VeriSign Could Stop Drive-By Downloads

emcron writes "Ben Edelman has been doing great forensic work looking at spyware, adware, and malware. His latest piece, How VeriSign Could Stop Drive-By Downloads, turns the harsh light of public scrutiny on VeriSign's grubby practices in issuing digital certificates to vendors who try to install spyware by tricking users into clicking 'yes' with low-down dirty lying dialog boxes. Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."

Meanwhile

[cynix.org]

The beauty of certificates is, you decide who you trust. If you object to VeriSign's practice of issuing certificates to spyware/adware makers, simply don't choose to trust VeriSign's root certificate. This is only a temporary measure, I guess.

Re:Meanwhile

[insert_username_here]

So you expect an clueless computer user, who's just learning about this interweb, to understand the importance of trust when downloading software?

Even ignoring people who've never used a computer before, a lot of people are, unfortunately, very trustworthy.

Having partly software-verifiable certificates (i.e. signed by Verisign instead of self-signed) goes a long way to helping a browser tell a user whether or not they should be able to trust this mysterious "gator.exe" (of course, people will always find ways around it).

Re:Meanwhile

[Daath]

Yes well, that doesn't help Joe Sixpack who reads "CLICK YES TO CONTINUE" and does it. The typical person, who chooses to trust og distrust the VeriSign CA would obviously not fall for this.

Re:Meanwhile

[strider44]

Tell me then, what's the point of having a certificate when you can get it under any name you want, for any (possibly) malicious piece of software? If it doesn't give any indication of being trust worthy at all then it's absolutely worthless!

It's ironic that a Microsoft representative a little while ago criticising Firefox not paying for a certificate for the download. What is to stop someone registering "Firefox Browser" or "Click Yes to Download" instead? Certificates when they are so easily abused like this are only detremental - they create a fake level of trust.

Re:Meanwhile

[elgaard]

It would help Joe Sixpack if he used a browser that did not trust the VeriSign CA per default.

Re:Meanwhile

Aside from the enormous inconvience actually practicing this with high security settings.

If Versign is making certain claims about their trust worthiness, and that of the people they certify, they should be held accountable when those claims are demonstratibly false. They're lying for money. No it might not be the end users money, but it's their time that's being stolen, and Verisign is doing it for money. And while there certainly is some wisdom in being a wary buyer, I think their is something to be said for forcing people to keep their promises to the larger marketplace. "Oh, they're rich, it's good for their business.", doesn't exactly put me in a benefit of the doubt kind of mood.

Re:Meanwhile

[evilbuny]

Ever tried removing these certificates out of MS IE on winXP, they buggers just keep getting downloaded and reinstalled and so far I don't know any way to disable this "feature"

Re:Meanwhile

[blane.bramble]

The certificate is there to prove the content is from who it claims to be, not that the content or provider is trustworthy.

Re:Meanwhile

[X0563511]

I remember after digging around in the MMC seeing somewhere that Verisign is not only trusted by IE, but XP itself!

There's a copy of their public certificate on your machine - that's how IE can tell if it really was Verisign that signed it.

Re:Meanwhile

[Marvelicious]

Granted, but thats a pretty fine point to explain to, say, my roommates who regularly start bitching about their computer acting "weird."
"Well, that certificate thing popped up so I thought it was safe..."
So every couple weeks I go in and do the electronic enema for them.

Re:Meanwhile

[Marvelicious]

Oh, and my personal favorite is when I see the option: "Always trust software content from Microsoft" Yeah sure, I could use a bridge!

Re:Meanwhile

[dosius]

The typical person *is* Joe Sixpack.

Moll.

Re:Meanwhile

[Hognoxious]

Even ignoring people who've never used a computer before, a lot of people are, unfortunately, very trustworthy

Why is it unfortunate that lots of people are trustworthy?

Re:Meanwhile

He has not figured out the difference between "trusting" and "trustworthy".

Re:Meanwhile

[DarkTempes]

the point of a certificate is NOT to verify that the company/person is a trustworthy company/person

it's to verify that the software is FROM the person/company on the certificate

certificates verify identification/authentication -- they are NOT an indication of trustyworthy software, nor are they supposed to be.

the problem is literacy and common sense, something that many people seem to lose the minute they touch a computer.

Re:Meanwhile

[BarryNorton]

So if someone comes to their (physical) door and presents a laminated ID they pull down their trousers and bend over?

Re:Meanwhile

[strider44]

So if someone says that they are downloading Firefox, they can just get a certificate, say it's from the "Firefox Foundation" (a mythical yet believable organization) downloading a program called "Firefox Browser", and most people would click yes. This defeats the whole purpose of having certificates to prove the content is from who it claims to be, when you can just lie about it!

Re:Meanwhile

[sbryant]

Yes well, that doesn't help Joe Sixpack who reads "CLICK YES TO CONTINUE" and does it.

At least he read it! I know plenty of people who will just click OK without even looking at what they're agreeing to.

The trouble is that lots of people don't understand what is being asked of them (so many give up reading at all). Signed certificate? While I could explain what it is, how do you teach people to be able to choose the good from the bad? Some are definately not so easy to spot.

Ol' Joe should be more distrusting of these things, but isn't.

-- Steve

Re:Meanwhile

[Dolda2000]

What you seem to be missing is the fact that certificates are meant for authentication, not authorization. While it would most likely help if VeriSign wouldn't issue certificates to dubious software vendors, that would be as much abuse of the technology as the idea of setting "sex bits" on IP packets to indicate sexual content.

Thus, authentication already works the way it should. This is not a case where I should say "don't fix what already works", but rather "don't break that which works". Instead, work should be done on the authorization part. I have no suggestion as to how authorization should be fixed, but at least authentication shouldn't be broken just to get an ad-hoc fix to authorization.

Re:Meanwhile

[sl4shd0rk]

> they create a fake level of trust.
Yes, but they generate a *huge* volume of capital and this is what drives the interweb now.

Re:Meanwhile

[Raphael]

So if someone says that they are downloading Firefox, they can just get a certificate, say it's from the "Firefox Foundation" (a mythical yet believable organization) downloading a program called "Firefox Browser", and most people would click yes.

Right. This is one of the things that the article was complaining about. Unfortunately, there is no easy way to prevent that kind of scams: Verisign could check for obvious stuff such as "CLICK YES..." but it would be had for them or for anyone else to check for names that are similar to the names of companies or individuals all over the world.

This defeats the whole purpose of having certificates to prove the content is from who it claims to be, when you can just lie about it!

If you accept all certificates blindly, then yes. If you pay a bit more attention, then no. You should only trust the certificates for the level of security that they provide, not more.

Once you have determined that a certificate is good, you can choose to let your software remember that decision so that you do not have to check it again the next time you see it.

Re:Meanwhile

[DrXym]

The thing though is, that at least IE insists controls be signed. Firefox does not insist that extensions be signed.

Now controls are unarguably the bigger danger, but that does not excuse the weak security defaults that Firefox uses for extensions. A user can install any extension without a clue as to who wrote it, or even if it was tampered with. The default policy should be accept signed extensions and not accept unsigned ones at all. If people want to change that preference, that's their own business, but secure by default should still be the order of the day.

Re:Meanwhile

[ergo98]

Verisign is not only trusted by IE, but XP itself!

Verisign is recognized as an authorized certificate authority because Windows has a central certificate store that can be used for a wide variety of applications (much more than just browsing the web). This sort of seems like a logical, good design way of doing it (rather than each app having an island of certificates).

The root certificates that you are speaking of, which you can find in the MMC snap-in Certificates, have specific uses that they are allowed for. There are several Verisign certificates, including one used to validate Verisign issued email signing certificates, another general purpose one for code signing (which can be pervasive in Windows if you desire) and client certificates, and so on. By themselves they don't allow Verisign to ownz your machine, but rather allow you to use Verisign issued certificates in a whole trust infrastructure.

Re:Meanwhile

[SiChemist]

But the point of the article was that Verisign was not enforcing its own rules. Some of the company names on the certificates were FAKED. In that instance you can't verify who the software is FROM in any meaningful way.

At least part of the problem is that Verisign is unwilling to make even the smallest effort to end trickery using its service.

Re:Meanwhile

The thing though is, that at least IE insists controls be signed. Firefox does not insist that extensions be signed.

What good is that when every piece of spyware in creation is signed?

Re:Meanwhile

[DarkTempes]

err Firefox doesn't really let you do that extremely easily

you'll click on the 'extensions' file
firefox will pop up with a notice up top that you need to add that to the allowed list, you do.

then you have to click it again to let firefox install it.

if something is 'signed' it would just pop up once, be like "Do you trust this certificate (not do you trust this site)", average joe is stupid and just says yes always, and then it installs.

seems to me firefox's method for extensions is actually harder than using a 'secure' certificate.

Re:Meanwhile

[NoMoreNicksLeft]

I don't agree. This is partially an issue with business names themselves. If we were talking proper names, e.g. John Smith (the individual), a man who writes spammy spyware for a living, and the cert say his name is John Smith, then yes, it's authenticating him (and his software) as being the person he says he is.

Unfortunately, a person can game this system by choosing any business name they like. "CLICK HERE TO INSTALL" is not a legitimate name, not even a legitimate business name... I seriously doubt it's a registered or incorporated business name, and even if it is, it's done only so they can get a certificate with the same name. How can you authenticate them with a bullshit name? Authentication means proving who they are, which this isn't doing at all. And I don't mean to be ultra-picky, but if you couldn't get a driver's license with the name, or open a bank account with it, you probably shouldn't be able to get a certificate with that name.

Re:Meanwhile

[thatnerdguy]

setting "sex bits" on IP packets to indicate sexual content.
Are those like the Evil Bits?

Re:Meanwhile

[Dolda2000]

I'm sorry, my post was a bit out of context -- in fact, I hadn't even seen that VeriSign issues certs to fake names. What I was protesting against is all these people saying things such that VeriSign should not issue certificates to makers of malware, regardless of what they call their companies.

That is abusing the technology in the sense of using authentication for authorization, which is, objectively speaking, wrong.

Of course, as you say, VeriSign shouldn't grant certificates to obviously faked names.

Re:Meanwhile

[DrXym]

Because signing means that if you download (for example) the Yahoo toolbar you can see and inspect the signature against it and determine it really was written by Yahoo. If some cracker decides to tamper with the XPI package, it will be immediately obvious, because either there will be no signature or Firefox will warn you that the Yahoo signature does not correspond with the contents.

Without the signature, you haven't the faintest idea who wrote that XPI or if its been tampered with.

Re:Meanwhile

[DrXym]

Firefox is using domain trust as a poor man's code signing.

It doesn't do you much good if the site in question has been hacked or is subject to a man in the middle attack. You as the user have no idea in either case if that extension has been tampered with because it has no signature.

Neither domain trust work well when the domain in question hosts hundreds of controls. For example, once you've trusted the Mozilla extensions website, the domain check is not going to protect you from downloading something malicious.

Personally I believe signing should be in addition to the domain check with future versions of firefox supporting GPG signing. Also, the mozilla extension site should crack open xpi files so interested people can browse inside it.

Nothing is going to be a magic bullet, but the mantra should be safe by default, with enough checks and safeguards to quickly identify and zap anything malicious.

Re:Meanwhile

[itchy92]

"CLICK HERE TO INSTALL" is not a legitimate name, not even a legitimate business name

Sir, I resent your libelous filth and my legal counsel will be conacting you shortly.

Aaron Firouz
CEO
CLICK HERE TO INSTALL, LLC.

Re:Meanwhile

[kawika]

Verisign charges $400 for a code signing certificate. It doesn't appear they do anywhere near $400 worth of work at the moment. Even if it's true that catching scam names in advance is hard, revoking them should be easy. The "Click YES to continue" cert is still valid, and I can assure you that Verisign is quite aware of it.

Re:Meanwhile

Then maybe you should read the damn article before spouting off, moron.

Re:Meanwhile

[topham]

Just because you wouldn't operate a business under that name doesn't mean somebody else hasn't actually registered it.

I remember a story on a guy who registered long distance provider company names. Names such as "I don't care", "Any", "Pick one".

These were typical responses when an operator asked which carrier, and since the name, as specified by the customer existed they were obligated to use it.

Needless to say the rates for those particular companies were some of the highest.

Re:Meanwhile

[harlows_monkeys]

The beauty of certificates is, you decide who you trust. If you object to VeriSign's practice of issuing certificates to spyware/adware makers, simply don't choose to trust VeriSign's root certificate

95% of certificates are from VeriSign. Your solution is not practical.

Re:Meanwhile

[DarkTempes]

man in the middle attacks...for firefox extensions?

isn't that a little bit of extreme paranoia?

oh wait, this is slashdot =)

agreed, domain trust is a poor solution, and GPG signing would be nice. but...the magic bullet is for the user to not be stupid and pay attention to what they are allowing their browser to install.

if the end user used common sense when installing software from the internet, you'd probably cut down 90% of all spyware/adware/etc; assuming they're using firefox. if they use IE they're just doomed.

the problem is people tend to get this 'oh look i'm stupid' syndrome when they use computers. they tend to become illiterate and not read what their screen says and just click buttons. they then also tend to not notice that something is way different that what they've done before. in addition tend to be utterly trusting of EVERYTHING involving a computer. i suppose windows could be to blame for spoonfeeding the user in the past. but yech! people need to use their brains!

i bet if i send said 'stupid' users something in the mail saying 'you could win $1,000,000! Just mail us back your credit card number and we'll automatically enter you!" they're going to throw it away or call someone. just computers make people stupid, it's plain SAD.

Re:Meanwhile

[speculatrix]

They're lying for money

I recall an old adage.. "when noone believes a man's lies any more, he hires a lawyer to tell them for him".

Proof? SCO vs linux/IBM.

Re:Meanwhile

[DrXym]

No it's not paranoia. It's a legitimate problem that digital signing is there to detect. You might ask how this relates to Firefox, well consider this.

By default Firefox automatically checks for updates for itself and its extensions. Therefore on any one day there could potentially be a million browsers calling home for updates. If a hacker could crack the site, or redirect DNS lookups to their own bogus updates.mozilla.org, they could compromise tens of thousands of machines if not more before anyone noticed any different.

You tell me that is paranoia. You tell me that any cracker wouldn't give their right eye to own an automated update service, be it for Mozilla, Red Hat, Microsoft or anyone else. The updates mechanism is an obvious attack vector.

At least with digital signing it would allow packages to checked for authenticity first. For example if updates.mozilla.org claims there is a new .xpi update patch for Firefox, that patch should be signed by mozilla.org. Firefox should ignore patches that are *not* signed. The same goes for extensions - if the new extension is not signed with the same key as the older version, it should not be updated.

As for the user not being stupid... You tell me how a user is meant to know that when Firefox says an extension has an update, that it's really a trojan. There's no signature, so how are they meant to know? If updates.mozilla.org says it's new, why shouldn't they trust it?

Re:Meanwhile

card-swipe access at its finest.

Re:Meanwhile

[monkeyboy87]

Not that this is a shock, but checking that box never seems to work. I still to this day do not know whats up with that.

Re:Meanwhile

the problem is literacy and common sense, something that many people seem to lose the minute they touch a computer.

I think it is long before that point in time.

Re:Meanwhile

[vsync64]

Because signing means that if you download (for example) the Yahoo toolbar you can see and inspect the signature against it and determine it really was written by Yahoo.

Or by "Y\u0430hoo".

Re:Meanwhile

[letxa2000]

Just goes to show that overpriced SSL certificates are worthless. That's why I use InstantSSL... cheap and no frills. But who cares. If it encrypts the connection, that's what people really care about.

Re:Meanwhile

[DrXym]

I would assume that Firefox has learnt it's mistake from the last IDnames exploit and do something to highlight such tricks.

Re:Meanwhile

[goofyspouse]

"Are those like the Evil Bits?"

No. You are getting this confused with your "Naughty Bits".

Re:Meanwhile

99% of what most users do on the web requires no interaction with the physical computer (existing files, registry, etc.)

The fix is to make the browser run in a seperate memory space under a virtual machine that has NO (0, notta) way to access back the real machine's hard drive or registry.

The state of this virtual machine should not be saved. Settings/preferences are done OUTSIDE of the virutal machine and cannot be accessed inside of it. If the virtual machine becomes compromised, ending it then restarting it gets you a clean slate.

This does break things that require saving or opening files, but that is the price you pay for this security. Adobe .PDF files could be saved inside the virutal machine and opened within it - but it would never have access or be saved outside the virtual machine.

The true file transfer process should be handled outside the browser by a different piece of software such as bit torrent.

Same thing with e-mail.

My .02

Re:Meanwhile

Me? I'm tempted to pull all the Verisign certs I can get my hands on, so that no machine I have control over trusts them one bit. It's not like they haven't abused our trust several times before.

Re:Meanwhile

Agreed. For much less that $400, I can open a bank account. The bank takes reasonable measures to be sure that I am who I say I am or that I actually represent the business I'm claiming to represent. No reason Verisign couldn't do the same thing.

Re:Meanwhile

I can't believe VeriSign does this. It's so misleading, "click yes to visit this website". But then when you look at the fine details it is really saying "Click yes to be connection to a 1-900 number that will rape you up the ass with phone charges." I think something needs to be done and VeriSign needs a kick in the ass. What good are they for verifying companies / people if they let you signup with any company or product name?

Re:Meanwhile

[runnin247]

oh, to be typical. Recent dietary changes has turned me into Joe Keg...

Re:Meanwhile

[raehl]

Are those like the Evil Bits?

No, those would be the No_Sex bits.

Re:Meanwhile

The point is that Verisign gets a bunch of your money. What, did you think they were worried about the public good or something?

Re:Meanwhile

[Marvelicious]

Actually, that just happened yesterday!

Re:Meanwhile

Since the RSA Conference is starting tommorow and since there are three VeriSign people speaking at the conference why doesn't someone just ask them there what is going on?

The first VeriSign person up to speak is Dr Phillip Hallam-Baker speaking on 'Security for Real People' in the Perimeter Defense track. He is their Chief Scientist, he should be able to give an answer.

Re:Meanwhile

Verisign and their subsidiary control 95% of the market, according to TFA. If you exclude them, you have essentially opted out of certificates. Too many legitimate companies have certificates with Verisign & Co., and nowhere else.

Re:Meanwhile

[blane.bramble]

But the bank makes money from you having a bank account. Versign doesn't make money from you having a certificate, so it charges you to issue it.

Sure.

[DarkHelmet]

Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers.

Right, and why does it matter when 85% of guys in front of a computer are going to say yes to a company called MAKE YOUR PENIS BIGGER Ltd?

Re:Sure.

Oh, great. Making suggestions for how Verisign
can clean up their act regarding the issuing
of CA digital signatures is not unlike trying
to talk streetwalking prostitutes into becoming
call girls.

The most money for the least effort, and the
least up-front cost to them - that's what rules
most of quarter-annual corporate America, Verisign
included.

They can do that?

[Eatmorecake]

Do you just have to click the link, or what??

Yes, but

[unkaggregate]

what happens when they stop using such blatantly obvious names and go with more subtle made-up names?

Heck, what if they start using a thesarus to pick complicated sound names that sound cool?

Re:Yes, but

[TLLOTS]

While I expect you're correct in your assumptions about what peopla attempting to abuse this would do, shouldn't VeriSign still perform some verification of the companies details given and ensure that if false information is given, that they can somehow contact the person who brought in the application for the certificate.

After all, if there's no real verification done then what good are these? It seems like they're more $200 - $600 licenses to trick users into donwloading your spyware.

Re:Yes, but

[Dogtanian]

You may want to get a dictionary yourself, it's spelled 'thesaurus'...

No, dumbass. 'Thesaurus' spells thesaurus.

Dictionary is spelled 'dictionary'.

Re:Yes, but

[operagost]

How about CompuGlobalHyperMegaNet?

Re:Yes, but

[Blakey+Rat]

See this link:

http://it.slashdot.org/comments.pl?sid=139348&ci d= 11666348

The problem is that the name of the company, the actual name they file taxes under, is "Click Ok To Continue." Verisign simply game the company a certificate for their own name-- they verified it by using a phone bill and calling the number on the bill.

That would slow things down

[tjlsmith]

And since the purpose of opportunistic companies like Verisign, who's keys are no better than anyone else's, is to make as much doe ray me as fast as possible, why are they going to do this?

Re:That would slow things down

[Shano]

I would assume, since they're one of the bigger companies out there, that they think it will make them look good. If they don't crack down on the fraudsters, there's a risk that people will stop trusting Verisign. In which case, no more profits for them.

Re:That would slow things down

[ZoneGray]

I think what needs to happen is for a large corporate customer (one that has been victimized by adware/etc) to sue Verisign over their negligence, or fraudulent representation of their certificates. Might make a nifty class-action suit, too.

I mean, if they issue a certificate to a company named "CLECK YES TO CONTINUE", then they're not even making a token effort to provide the services they claim.

Re:That would slow things down

And the award for most random sig ever goes to...

Seriously, though, yes, he has, and yes, he probably is, respectively.

Re:That would slow things down

> I would assume, since they're one of the bigger companies out there, that they think it will make them look good.

Look good to whom? The only people who matter are VeriSign's investors - those are the only ones management will listen to.

If current practices are cost-efficient and profit-maximizing, why change? Up to The Day when the large, mass-media-covered protests start, those investors have no reason to complain, so VeriSign has no reason to change. Yes, "no reason to change" does include the fact that people are being misled by VeriSign; that is not a concern to the investors, only the money matters.

Sounds logical but...

[nuclear305]

I can't deny that VeriSign should be doing a better job with stuff like this, but I certainly don't believe in the claim that by taking their certs away that drive-by downloads will cuddenly stop.

The real problem is the fact that nobody bothers to read the window that has just popped up in front of them. I'm guilty of this myself, there have been times I've not even recognized a problem with certs on my own servers the first few times clicking through.

My saving grace is that I never ever click an OK or YES button unless I'm expecting one. That simple rule has kept me from ever having anything installed using this method. The problem is that not everyone understands that they should not agree to every popup window they see. It's not going to matter if it claims to be authorized by God himself; if it has a YES/NO/CANCEL option and the user is not security-aware the person will probably say yes. I think educating people would be more effetive than trying to get the CAs to revoke the certificates.

I'm sure there will be plenty of the "Use FireFox, Problem Solved!" comments as well. I have experienced, rarely, where a drive-by site is impossible to say "no" to when under Firefox and eventually crashed the browser but IE under SP2 handled itself very well on the same page.

Re:Sounds logical but...

[ZiZ]

I'm sure there will be plenty of the "Use FireFox, Problem Solved!" comments as well. I have experienced, rarely, where a drive-by site is impossible to say "no" to when under Firefox and eventually crashed the browser but IE under SP2 handled itself very well on the same page. Right, IE just calmly and quietly installs the software for you if you're not computer-savvy enough to say 'yes' to the dialog box to start with. ;) Seriously, though, I think that the /possibility/ of letting computers auto-install software that doesn't /directly/ come from a company that you've already approved - that is, Microsoft updates for Windows, Mozilla Foundation updates for Mozilla or Firefox, Adobe updates for Photoshop - causes more problems than it reduces headaches. Make people go through extra steps if they want to install FREE PR0N EXPAND YOUR PENIS NOW or A COOL SCREENSAVER FOR YOU, since computers have long been training your average user to just say 'ok' to any dialog box that pops up.

Re:Sounds logical but...

[X0563511]

Ive had a couple drive-bys in firefox. Malicous Java scripts, no signing needed.

Fortunatly enough my AV caught them and kept them from spreading, but firefox died and had to be restarted.

Re:Sounds logical but...

[JudgeFurious]

I know what you mean about never clicking "OK" or "YES" buttons, hell I won't even click "NO". Ok, so it's not so much a problem these days what with the OSX and the Mac but at the end of my Windows "experience" I simply decided that nothing that popped up could be trusted. I got the idea in my head that even the "NO" button was a lie.

My own saving grace (I think) was that I got in the habit of always going down to the taskbar and doing the "right-click, close" bit.

Education is the ticket but man, I question whether or not some of these people can be educated. I've been at this for over a decade in the same job, supporting the same people and the people I've been trying to teach continue to step on the landmines. Sure from time to time there's a success story or two with my users but for the most part the ones who are going to screw up continue to screw up.

Re:Sounds logical but...

[NardofDoom]

Part of Apple's Human Interface Guidelines is to avoid buttons that say "Okay" or "Yes." Buttons should have verbs in them telling the user what's going to happen. So, on a Mac, it says "Install" instead of "Okay." So you can be sure what's going to happen when you click it. Quite handy.

Re:Sounds logical but...

[rythos]

The problem I see with this is that my favourite Firefox plugin is Tabbrowser Extensions, which I don't think I would be able to use Firefox without. Anyone who knows this plugin knows that not only is it not available from the Firefox plugin page, but in early versions the Firefox team was _actively_ disuading people from using it. It is sometimes a good idea to allow Joe-Blow the ability to publish plugins, updates, whatever.

Re:Sounds logical but...

[ZiZ]

Sure, but you wouldn't be /prohibited/ from using alternate extensions. You'd just have to save them to disk and install them from there through a manual process. The added steps would change it from an easy social engineering task to a difficult social engineering task (though, considering viruses are spreading successfully in password-protected ZIP files, certainly not an impossible one). Nevertheless, it offloads a bit more of the onus on the user to be smart about popups.

Re:Sounds logical but...

[RzUpAnmsCwrds]

"So, on a Mac, it says "Install" instead of "Okay.""

Funny, it doesn't say "OK" on Windows XP SP2.

It says "Install". And the dialog doesn't even come up unless you click the "information bar" (a feature Firefox later ripped off) and choose "Install ActiveX Control".

Keep on dreaming

[Ubi_NL]

After the whole debacle with the DNS somehow i don't see Verisign prioritize ethics over profit any time soon

Re:Keep on dreaming

[evilbuny]

Not to mention the debarcle over punycode domains and Verisign not following RFC security guidelines to normalise domains before they allow them to be issued, seems they have a lot of fingers in a lot of pies at present to gain a lot of money from a lot of dubious practises....

Re:Keep on dreaming

Asking Verisign to stop being unethical is like asking fresh manure to stop smelling.

Re:Keep on dreaming

You will however notice that businesses continue to give Verisign money. The unfortunate fact is that the decision makers in most companies don't read the stories about Verisign's business practices. Don't expect Verisign to change unless you can find a way to impact their bottom line.

VeriSign doesn't love us.

Help us for "free"?

Remember the DNS hijack? They wouldn't back down untill they were sued and threatned repeatedly.

New Times?

[HateBreeder]

Perhaps, one day after Drive-By Downloads are stopped, a new era could emerge...
A time in which east-side nerds could live side by side with west-side nerds.

I have a dream...

Re:New Times?

Your name makes your comment so ironic.

Re:New Times?

[Dogtanian]

Perhaps, one day after Drive-By Downloads are stopped, a new era could emerge... A time in which east-side nerds could live side by side with west-side nerds.

But hopefully not before Bill Gates is shot dead by Larry Ellison (a la Tupac Shakur), because Steve Ballmer dissed Oracle.

Or maybe it was meant to be a 'West Side Story' reference, which suggests that the solution to the problem of bogus Verisign certificates is....

Dance!

I have a dream...

Is that a quote from Martin Luther King, or ABBA?!

The Other 15%

[carterhawk001]

Do You Want To Trust The Certificate For Make Your Penis Smaller?

Stupid User Factor...

How is Verisign responsible for stupid users? I don't understand why they should deny themselves business by blocking companies called "CLICK YES TO CONTINUE" or whatever the fuck they want.

At the end of the day, it's the end user that agrees to the cert. Stupid is as stupid does. Just let Darwin sort it out.

That is all.

Re:Stupid User Factor...

[KinkyClown]

Just let Darwin sort it out.

Right. And until that time we will have to deal with a few million zompies that spam us? Not really a good option.

We should try to educate the users that are unaware to these problems. Just like I am constantly helping my parents and friends. They would never OK such a certificate because I tolled them that it could be spyware, etc.

Re:Stupid User Factor...

You tolled them? How much was it ;)

Re:Stupid User Factor...

They would never OK such a certificate because I tolled them that it could be spyware, etc.

So how much did you toll them for?

Re:Stupid User Factor...

He tolled them after he gave them some tasty zompies. :)

Why was this allowed before?

[millwall]

How come they only just now start to question companies with names such as "CLICK YES TO CONTINUE"?

It's so basic that it's sad that they now issue this press release trying to make them look like good guys, even though it's so obvious and should have been looked into much earlier.

An idea but in practice...

[portwojc]

That requires VeriSign to actually do something and cuts into their profits.

Look at the mess known as the domain registry and how much junk information is found in there. I'm sure the license for the SSL has the same requirements (and no teeth) just like the DNS registry does.

Re:An idea but in practice...

[lachlan76]

License for SSL? You get your CA's public key into the browser and you are now God.

Verisign certificate worthless

That doesn't mitigate Verisign awarding certificates from bogus companies.
Its possible to have your Internet Explorer set to accept properly certified code, so in some cases the user doesn't even look.

Re:Verisign certificate worthless

But I thought I could trust IE because of these certificates? No? Surely there's another solution?

but my company name really is

I DARE YOU TO CLICK YES

we were also considering

CLICK YES YOU MORON

OMG, WERE YOU SERIOUSLY GOING TO CLICK NO

and

THIS IS SO COOL, YOU GOTTA SEE WHAT HAPPENS WHEN YOU CLICK YES

Re:but my company name really is

[SacredNaCl]

I'm still waiting for the box that says:

"Click No to install XXX toolbar" ;-)

Re:but my company name really is

You forgot a couple:

CLICK YES TO GET LAID (for men)

and

CLICK YES TO FIND TRUE LOVE (for women)

Re:but my company name really is

[Evro]

I realize this is in jest, but it raises an interesting point. What's to stop the malware makers from simply creating corporations called "click here 1" "Click here 2" etc? Then VeriSign would have no reason to decline them.

Perhaps Verisign should obey

[Radiate]

Either that or they face the "threat" that more and more people switch over to Firefox which doesn't use ActiveX at all which in turn means less activex certification profits?

Re:Perhaps Verisign should obey

Untill they covertly join the firefox dev team, and find a way to work some level of activeX support in.

best thing to do

is to design a mechanism for stabbing people in the face over the internet.

Here's solution:

Wanna get rid of spyware, adware and malware?

CLICK YES TO CONTINUE

Re:Here's solution:

yeah, right

Re:Here's solution:

Hi,

I just wanted to let you know that because of your comment, I will be stabbing an Apple user to death later today.

Please feel free to continue posting these pithy, amusing and oh so unique comments wherever they aren't wanted. I will continue stabbing Mac users.

PS. I also steal their Ipods.

PPS. I don't use them or sell them, I just smash them to pieces for fun.

Regards,
Someone finally driven over the edge.

Re:Here's solution:

so your solution is to buy an entirely new computer?

Re:Here's solution:

[Some_Llama]

The realy funny thing about the parent is that quicktime acts just like spyware, it adds itself to your startup items, reassociates all of your files to use quicktime as the preferred player, reinstalls itself if you try to disable it (instead of removing the entry with hijackthis/regedit) and pops up windows asking you to "upgrade" everytime you actually run it...

UGH!

Re:Here's solution:

[Kehvarl]

Quicktime isn't that bad as long as you don't just use the default options when installing it...

Then again, I'm advocating a course of action which requires -not- simply clicking next and letting the default options do as they wish.

Yes, I can see why this wouldn't work.

Trust is an easily broken thing

[Gareth+Saxby]

Too often do I trust the wrong sites, with owneres that I personally know myself, to then be bogged down with spyware alerts on my computer. I'm amazed at what Verisign has done in the first place, it makes them seem more concerned about earning money than security over malicious applications and code.

The very cheek of it all, is that the main marketing technique on their website is to talk about security. I think if they were going to clean up their act, they would have done it a long time ago. No hope for some people.

Re:Trust is an easily broken thing

[Grishnakh]

I'm amazed at what Verisign has done in the first place, it makes them seem more concerned about earning money than security over malicious applications and code.

Why is this amazing? Everyone should know by now that American companies are more concerned with making money than anything else, no matter what the consequences are. If they could get rich by strangling babies, then American companies would happily do so.

Re:Trust is an easily broken thing

[Gareth+Saxby]

I gues I'm too naive for my own good. I do feel that companies should have a responsibility to be honest in their work practices, but to be frank, I highly doubt they care what I myself feel.

Re:Trust is an easily broken thing

[Grishnakh]

I gues I'm too naive for my own good. I do feel that companies should have a responsibility to be honest in their work practices, but to be frank, I highly doubt they care what I myself feel.

I think they should also have a responsibility to be honest; in fact, I think anyone who thinks otherwise is very ethically challenged, and is not someone I would ever trust.

However, I've been around too long to believe that this is the case, and from what I've seen it's frequently the opposite. There's nothing wrong with believing that companies, and the people who run them, should be ethical and honest, but naivete is only believing that they are, when all indications are currently otherwise.

In Japan

Girls stop drive-by downloads for guys!

And in Korea, they're only for old people anyway.

Click yes to continue

Reminds me of a comment on politics which also appeared on /. some time ago.

It was proposed to change one's name to None Of The Above and run for presidency.

Re:Click yes to continue

[johndiii]

Or make a movie called SECURITY DEVICE ENCLOSED.

Lameness filter encountered. Post aborted!
Reason: Don't use so many caps. It's like YELLING.

Re:Click yes to continue

Lucky you... In the UK thats illegal

(see http://www.legislation.hmso.gov.uk/si/si2005/20050 147.htm)

Verisign is not at fault.

[Capt'n+Hector]

Seriously. It blows my mind that I can create a site that can make a dialogue box pop up that when the user clicks "yes" can install software. Verisign can't be blamed for that mess. ActiveX, on the other hand, can. Here's how MY browser works: It displays webpages. If I want software, I download it to my desktop. I then choose to open it or delete it. No ActiveX, no auto-launcing/auto-installing/etc bs. What's so hard about that?

Re:Verisign is not at fault.

[MichaelSmith]

Here's how MY browser works: It displays webpages

My Sister-in-law runs redhat 9 (because I installed the system)

She tells me that she often goes to sites which offer games which she (or her son) would like to run. Most of the time they don't work either because they need java or activex, or because they are just broken

Either way it is my fault for giving her a PC which doesn't do all these things

You and I have reasonable expectations about technology. The person in the street has different expectations and they drive the market

Re:Verisign is not at fault.

[Hognoxious]

It's absolutely incredible and totally unacceptable that there isn't an option "Don't install anything. Like, ever.", and that it isn't set by default. IE has a checkbox in the advanced settings called "Enable install on demand" but unchecking it makes no difference as far as I can see.

Re:Verisign is not at fault.

[jrumney]

IE has a checkbox in the advanced settings called "Enable install on demand" but unchecking it makes no difference as far as I can see.

Unchecking it prevents IE from offering to download IE language packs when you visit a website you cannot view with currently installed languages. Nothing more. If you have all the languages you can read installed already, then you probably won't want this checked.

Re:Verisign is not at fault.

Spoken like a true genius.

Re:Verisign is not at fault.

[CarrionBird]

I think the problem is, for the average joe, ALL browsers are "broken" from the get go. They can't properly display half the sites out there because those sites depend on some BS plugin that is not included.

So people learn that in order to get thier computer thing to work, they have to constantly be installing the latest flasholio plugin 5000(TM). How is such a person going to know trustworthy from not?

Re:Verisign is not at fault.

[Hognoxious]

Silly me for not realising that it's specifically to do with languages. After all the clues were blindingly obvious to see:
1) the word "language" does not appear in the label,
2) or the header of the section it's in,
3) or the help that comes up with [?].

Not having a go at you there, by the way. Unless you're a usability specialist at MS.

Re:Verisign is not at fault.

[jrumney]

Unless you're a usability specialist at MS.

No, I'm not. And I agree that its a particularly badly named option. I just came across this information a while ago and thought I'd pass it on.

Re:Verisign is not at fault.

[cortana]

There is. Alter the settings for the Internet security zone to deny all activex content, etc etc. While you're there, you can turn off all the other shit that MICROS~1 has fucked up the 'net with.

Re:Verisign is not at fault.

[cortana]

They could allways Google for the organisation name displayed on the certificate. You know, do a little research.

The same people wouldn't go out and randomly buy a car, or a cooker, or a washing machine, without going to Which, Consumer Reports and so on check on the reputation of the company that makes the goods.

Ok, some would. But they get what they deserve.

Re:Verisign is not at fault.

[CarrionBird]

Actually I think the average consumer would. The most "research" the average consumer does is done in store. (i.e. ask the salesdroid)

"Extended warranty, how could I lose!!"- H. Simpson

Re:Verisign is not at fault.

The setting is "Install Signed ActiveX Controls" under Security. (as other have said, "Install On Demand" is for fonts & stuff).

Re:Verisign is not at fault.

[Grishnakh]

First, you need to upgrade her to a newer version. RH9 is getting really old.

Anyway, tell her she has a choice between using the system you set up for her, which works all the time, doesn't get viruses and spyware, doesn't need a periodic "clean-up" or reinstall, etc., OR she can get her own system with Windows installed, and then when it needs the inevitable clean-up or reinstall, she can pay hundreds of dollars for some PC repair shop to do it, like most people these days do.

It's funny how many people like to complain when they're given a free gift.

What kind of stupid sites use ActiveX anyway? Honestly, I've never run across any (except on my company intranet, of course).

Re:Verisign is not at fault.

> First, you need to upgrade her to a newer version. RH9 is getting really old.

Geez, that's as bad as any forced MS upgrade. Someone should never be advised to upgrade just because "it's getting really old".

Re:Verisign is not at fault.

[Grishnakh]

If you don't see the difference between an MS upgrade and a Linux upgrade, you've got issues. A linux upgrade is like driving around an older car, and someone coming up to you with a shiny new car and saying they'll give it to you for free, no strings attached.

A Linux upgrade costs nothing. Just download the ISOs and install away. It only costs a little time, but it's worth it (at least when coming from something old like RH9). When I upgraded my SuSE box, it was easy; I didn't have to reformat or anything. It just installed on top of my old (SuSE 9.0) installation. Having my /home directories on another partition helped a lot too, since I could just unmount that and not worry about it being corrupted.

This isn't like Windows where you have to pay a hefty fee to "upgrade".

Wants and Gets

[ATAMAH]

"Now, Ben wants VeriSign to clean up its act"
And of course VeriSign will immediately go "Sir, yes Sir, we will Sir! We've already started bending over backwards, Sir !"

You can verify source (sort of)

[KZigurs]

This is the point - this means that if, just by accident, it turns out that the given software performs illegal actions, uses your computer to store kiddie porn or starts to send spam to .gov or .mil adresses, verisign can track the body it issued sertificate to and hold it accountable.

And it has nothing to do with actual quality of software it has signed.

Re:best thing to do

Hell yea!

Be better if it was just painful/irritating instead of serious injury/fatality prone...

That way you could do it repeatedly.

The NEW spam!

Why should Verisign oblige?

[littlem]

Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."

Come on! Verisign's whole business model is to sell as many certificates as it can - it's simply not in their interests to show scruples like that. Verisign have the MicroSoft seal of approval, so for the average desktop user that makes their reputation beyond suspicion, so they have nothing to lose.

Clicking Yes to continue...

[Bob64]

From what I have seen, I believe that the employees at Verisign are "Clicking yes to continue" when approving certificate requests. Or someone mistakenly clicked the "Yes to All" button.

Re:Clicking Yes to continue...

[wild_berry]

I, for one, welcome our new "Yes to All" overlords.

Re:Clicking Yes to continue...

[sharkey]

When will people learn that clicking "Yes to All" is a bad idea? Shit, I won the lottery, but so did like 400,000 other people, so I only got 17 bucks.


Well, at least the Sabres won the Stanley Cup.

Re:Clicking Yes to continue...

[borawjm]

Perhaps their employee handbook states that all employees must initially approve all requests. Once they get the money, remove the invalid or faulty certificates.

Along the same lines as an insurance company that has a policy of rejecting all claims unless the person who filed the claim is very persitant.

Yeah, I watched "The Rainmaker" over the weekend.

Re:Meanwhile, back in reality

The beauty of certificates is, you decide who you trust. If you object to VeriSign's practice of issuing certificates to spyware/adware makers, simply don't choose to trust VeriSign's root certificate. This is only a temporary measure, I guess.

Indeed.

Basically a certificate signed by Verisign is just that and only that. It's a certificate signed by Verisign. It doesn't say anything about the person or company presenting the certificate, their partners, business practices, history, ethics or ANYTHING ELSE. The only thing it's safe to assume is that someone fed Verisign a (probably valid) credit card number and they received a signed certificate (which you're looking at). That's it. End of story.

For some reason people see the words 'signed' and 'certificate' and assume there's some automagic security haze covering everthing and they get really upset when this turns out not to be the case.

When people start blathering 'Oh, but I just assumed...' remind them that assumption is the mother of all fsckups and they really should have learned that lesson by now.

Jesus v 2.0

Jesus 2.0 is vaporware. All that anyone knows about it is that it is "coming soon"

A dumb users first experience of the internet...

[buro9]

...is to trust everyone.

They have to.

Every site that they visit will have embedded Flash, embedded Java, embedded QuickTime, embedded Real, embedded midi (FFS!).

They are taught on their first few days to trust everyone, and that nothing that they want to achieve can be done without trusting that the site is legit in asking you to download and install stuff.

And when they speak to their geek friends (or friends of their kids), they get told dismissively and condescendingly that YES, they must install to see the site properly, to do what they want. You can bet that they won't ask a second time!

Is it really a surprise then, that we have a problem later with dumb users downloading spyware, adware, and malware in general?

The problem could be much alleviated by simply pre-installing all of the key technologies in advance.

Some Linux distros do this... my mother knew from the first moment she used Simply Mepis that she didn't need to download anything else... I told her this, and because nearly all of her sites worked (just not pogo.com) she hasn't downloaded anything else.

But you can't do this with Windows... because Windows gives you nothing, and certainly nothing from Apple, Real, Macromedia, Sun, etc... and then to compound it, Windows is an open playground for malware once downloaded.

If Windows RME were permitted to be shipped with not just alternatives and pre-configured competitor offerings for media, but also with common plugins for the web... and... maybe even Firefox to give choice... then this would do more to prevent malware spreading than Verisign being forced to change their practices.

Of course... hell would freeze over, pigs would fly, and the Bush would have an epiphany on social welfare before all of the above happened.

trusted computing

[coolcold]

only refers to trojan and virus, it doesn't care about hijacker, spywares, adware etc.

In this certificate thing, is it verisign that doesn't care about user's "safety" on the net or is it microsoft that don't bother what verisign does since this is just something to promote that windows are safe?

I would trust program that aren't signed more than signed ones

Bad idea

In no way to I want VeriSign or any other certificate authority to decide who does or does not qualify for a certificate outside of the flat fee. I do not want a corporate entity making suposedly moral judgments on what I do or do not do with my certificate. That opens a whole world of abuse probability, why not just label dissenting t-shirt or sticker sites as anti-american and not issue to them? There is a whole bag of questionable motives when you start playing elitist. I question anyone who says "let's lock out this group of people with a blanket policy". If you want to stop people from trying to trick you, or swindle you, then learn to be smarter about what you are doing. Individuals have a responsibility for their own actions. These swindlers run the risk of getting caught in an illegal act and going to prison, and you run the risk of getting played if you don't pay attention. It has been said a number of times that the web is a lot like the old west in the US, you have to watch where you step. Play with sites you know to be safe, and pay attention. That's all there really is to staying away from adware and spyware and malware and, and, and. So again, no, I do not want a company telling me "no, _you_ are not allowed to buy a certificate because we think you might be naughty with it"

Re:best thing to do

[Ingolfke]

You haven't seen goatse yet have you?

The answer

[tinus]

This is what Verisign answered when I asked them the same question last year (and then refused the stupid automated reply):

In response to your email, when this company submitted their request for a
digital certificate, we followed our standard authenticiation &
verification policies to make sure of the following:

1. That the company, Click Yes To Continue, is indeed a legitimate company
and has the right to conduct business under this company name, which was
confirmed using an online, 3rd party web site for validating companies
located in Canada.
and
2. Received a valid phone bill from the company, in which we used to call
the company back & confirm the order.

Please note that when a company obtaina code signing certificate, we DO NOT
validate their code, as the customer has to agree to our certificate
policies before even submitting their requets online.

Therefore, we did not issue a certificate to a 'fake company'. However, we
will forward your email to our internal security department and Verisign
Lawyers to see if this company is indeed distributing fraudulent code using
a certificate obtained through Verisign.

Obviously, nothing happened afterwards.

Re:The answer

[Squegie]

Please note that when a company obtaina code signing certificate

obtaina?
when a "company obtaina code signing certficate" does what?

I'm lost.

(Relax... it's less stressful that way)

Re:The answer

[rjstanford]

Personally, I think that they did exactly the right thing. Seriously.

Think about it for a minute. Do you really want some company like Verisign setting policies that state, "We assign identity-proving certificates to you if you can prove that your company meets the following standards ... oh, but only if we like your company name?"

What about the classic first domain-hijacking for RoadRunner. That's almost universally dispised, but the policy you're asking for is very similar. Would a bigger company be able to "suggest" to Verisign that other smaller companies in their space not get certificates?

The only real way for a CA to work is for them to be impartial. If you want to go through the trouble and expense of creating a legal identity "You suck balls, LLC" and file a d/b/a as "You Suck Balls", then you should be able to get a Verisign certificate saying that you do indeed represent the organization known as "You Suck Balls."

That's all they do after all. You (and many others) already don't seem to like 'em much. Do you really want an opinion step to be thrown in to the mix?

Finally, its not as if "Click YES to continue," isn't a catchy name for a software download business, so I don't even know if you could catch them out should Verisign start doing manual reviews of its certificates.

Purpose of certificates?

The only real valid application of certificates seems to be that X program really is from Y company...

As to whether or not Y company is trust-worthy is still up for debate.

MadCow.

Obviously

[evanh23]

Obviosly 90% of the people posting in this discussion have no practical experience with this subject. The certificate in question is a code-signing certificate. Have you ever bought (or tried to buy) one of those from Verisign? I have and let me tell you--it is a royal pain in the ass. I can say with almost certainty that those certificates that are from a company called "CLICK YES TO CONTINUE" did not come from Verisign.

It took me nearly two weeks to track down all the paperwork to get my code signing certificate (authenticode). The process includes designating two contacts, faxing over several forms (including a valid county business license for the company name on the application) and a notorized agreement of indemification because they weren't able to do 3rd party identity validation on my company (they look your company name up in the white pages and call the number to make sure it exists and that you do indeed work there. My company wasn't in the phone book.) They also try to look you up in D&B. This all came after giving them the $500 for the certificate.

That being said, I don't see how anyone could get away with purchasing a certificate such as described in the article from Verisign--maybe Thawte or another. IMO Verisign is taking some flak here due to /. ignorance.

Re:Obviously

[badfish99]

So you faxed them some documents and they sold you a certificate. That's all. It was a pain for you, because you obtained genuine documents. It doesn't sound like it was much work for them to check you out: if you were in the phone book, they call you back - if not, never mind.

Re:Obviously

[kalidasa]

Read the posting directly above yours. Verisign did indeed approve this certificate. So much for your near certainty.

The company exists, under that name. The fact that the name was obviously chosen with fraudulent intent doesn't seem to concern Verisign too much.

Re:Obviously

[shippo]

I'll think that you'll find that although the code appears to come from a genuine company, and is autheticated by Verisign, the name of the actual plug-in has a name such as 'Please Say Yes'.

A friend of mine forwarded me a link to a site last year containing one such dodgy plug-in (a dialer app) which did this. The site has since been taken down, though.

Re:Obviously

[OhPlz]

This boggles my mind too. I've renewed the same server certificates for years and some code certs, it's a royal PITA. Every year they manage to throw a wrench in the process somehow, oh.. this obscure peice of data we got from this place doesn't exactly match your company's street address or we called once at 3am and no one answered.

I'm amazed anyone can get through all that with bogus information. You'd think that someone with that kind of determination could be doing something better with their skills.

Re:Obviously

[khallow]

That being said, I don't see how anyone could get away with purchasing a certificate such as described in the article from Verisign--maybe Thawte or another. IMO Verisign is taking some flak here due to /. ignorance.

Verisign acquired Thawte back in 1999-2000.

Re:Obviously

[BooRolla]

Why couldn't a company with the name "CLICK YES TO CONTINUE" follow the same steps you did to get a certificate? I bet if anything, it was easier for them. They are probably part of a adware/malware group who already know how the certificate process works, unlike you who had to fumble through it.

Re:Obviously

[nytmare]

Are you asserting that "VeriSign Class 3 Code Signing 2001 CA" which issued the certificate to "CLICK YES TO CONTINUE" is not Verisign?

brilliantly myopic

[tverbeek]

The fact that the author is suggesting that Verisign do this points out why it's such a bad idea, a cure worse than the disease. Who here trusts Verisign? So why should we make them (or even let them become) arbiters of whom to trust?

Teaching individual users to be more informed and responsible about whom they trust may be difficult, but it's better than entrusting a private, unaccountable, quasi-monopoly (let alone one with a history of un-trust-worthy behaviour) with that decision.

Re:brilliantly myopic

> Teaching individual users to be more informed and responsible about whom they trust may be difficult, ...

Difficult? Try near-impossible. Computers are confoozing/complicated enough to the average user without trying to make such a distinction. WAAAY too much specialized computer knowledge for someone who wants to use an appliance.

Why oh why hasn't Verisign been given the arse?

[cranos]

Why hasn't this company been banned from having anything to do with the Internet?

Time and time again it gets busted doing crap like the SiteFinder fiasco and still they get away with it.

Stupid design...

[zerofoo]

Software should NEVER be allowed to install itself! I'm sure some genius at MS thought it would be a great way to lure developers into using ActiveX instead of Java.

The proper behavior would be to have a user find a download, click the download to put it somewhere on the hard drive, then have the user "double-click" the file to install the software. This would totally prevent drive-by downloads.

-ted

Re:Stupid design...

[harlows_monkeys]

The proper behavior would be to have a user find a download, click the download to put it somewhere on the hard drive, then have the user "double-click" the file to install the software. This would totally prevent drive-by downloads

Yes, by preventing most installs. Go watch average users someday. It is quite enlightening.

Re:Stupid design...

[Mythrix]

The reason they have something like this is probably that there are some users who, after downloading a file, won't be able to find it unless it's saved on the desktop.

Use OpenCA and build-in trust levels in Firefox

[Donny+Smith]

Firefox should have a mechanism to assign different levels of trust to CAs - http://www.openca.org/openca/ would have a higher level and VeriSign a lower level.
This could be changed by the end user, though.

When the user gets presented with a dialog box, Firefox would suggest the user to not trust VeriSign-signed sites.

The "VeriSign penalty" could be adjusted in each new release based on their willingness to ge their shit together. Fuckos.

Obligatory Rap...

[game+kid]

All my Silicon niggas, uhh,
All my MIT bitches, uhh...

(repeat and then freestyle about hacker lifestyle and experiences with spyware in the ghetto, with repeating drum beat in background)

That's far too short-sighted

[Fished]

In the long run, this sort of thing will undermine trust in Verisign's certs and in digital certificates in general. At that point, the market is open for a new cert company that does a more thorough job of researching the companies to whom they grant certs. Verisign should know this, however years of experience with them convinces me that they probably don't.

Re:That's far too short-sighted

[dnoyeb]

decisions are not made in the companies best interest but in managements best interest. They use the 'shareholders' as their lame excuse.

Re:That's far too short-sighted

[Grishnakh]

Exactly. It's not in management's interest to make a strong, well-principled company that will last and be profitable for many years. It's more profitable for them to make more money now, and push the stock price up in the short term; this way, the management gets bigger bonuses, and a big golden parachute in case something goes wrong. By the time the sh*t hits the fan and the company starts going down the tubes, the current management has gone down the road, leaving someone else stuck with the mess.

Re:A dumb users first experience of the internet..

[TractorBarry]

> And when they speak to their geek friends (or
> friends of their kids), they get told dismissively
> and condescendingly that YES, they must install to > see the site properly, to do what they want. You
> can bet that they won't ask a second time!

Not this geek friend. I tell people not to trust anyone on the internet and to never download any crappy plugins as 90% of them will simply be used for serving up intrusive advertising. And if the site doesn't work without their plugins them go elsewhere.

After I've removed the first load of spyware and repeated the advice they usually listen. If not they don't get a second visit from me. I just point them to the internet and say "You're not interested in my advice so you can fix things yourself".

Sorry I've gone half tilt Amish on the idiots of the internet. If you can't get your message over to me using plain old HTML and static images you can stick your message up your arse.

The internet is not digital TV.

Personally I can't wait 'til someone invents some sort of uber bandwidth media-tastic bright & shiny "Hyper Net" (now with unbrakabul DRM (tm)). Then all the drongos can go and happily consume on it whilst leaving the rest of us with our "good old" internet.

Plugins ? I spit on you all.

Steps to disable the download prompts

This program has been quite helpful on an enterprise deployment to prevent the "download this?" type boxes that pop-up and install 99% of most adware. It's free, and only changes configurations and you're done with it at that point, so I'm happy to suggest it.

http://www.javacoolsoftware.com/spywareblaster.htm l

Quit treating certificates as indications of trust

[argent]

The other solution is to quit treating digital certificates as something to do with trust (the authorization-vs-authentication fallacy). Microsoft's stupid "security zones" model takes this blatant idiocy further than anyone, but all browsers have adopted some similar conceptual structure.

A certificate doesn't tell you anything about whether a web site is secure, trustable, or anything else. It simply provides a slightly better verification of identity.

What's the matter with drive-by downloads ?

http://home.btconnect.com/chrisandcarolyn/torrents /SUSE-9.2-for-Windows.iso.torrent
will get you a SUSE-Linux-for-Windows ISO.

Not quite drive-by, becuase you'll have to register (free and anonymous), but not such a bad idea.

Does this http://home.btconnect.com/chrisandcarolyn/suse-for -windows.png . Trust me.

Why do people just click OK? Because of the OS.

[ianscot]

I know plenty of people who will just click OK without even looking at what they're agreeing to.

Which should tell us there's a bigger problem here than whether Verisign is, in the fashion of the AKC, turning a blind eye to puppymillers who'll pay for registration papers.

If users have been conditioned to routinely say "yes" or "OK" to anything they see, it's partly because the APIs they deal with all day long encourage the writing of bad, unintelligible dialogs. Anyone who's ever waded through the "Yes No Help" dialog box when saving to a .csv file from Excel knows this problem. That one's unreal: they give us a bulleted list in the dialog that basically translates the buttons.

It's no accident that tons of the spyware pop-ups out there look like Windows dialog boxes. People are so used to clicking through horribly-written dialogs that they don't pay any attention. A better set of API default dialog types would nudge everyone, programmers and users, in the direction of actually readable dialogs that mean something.

Misleading title?

[akeyes]

Am I the only one who first thought that this had something to do with wardriving?

Re:Misleading title?

I figured it would be something to do with wardrivers P2Ping or something similar.

Real use of certificates...

[MadCow42]

The only real use of a certificate is to show that the software you download is actually from the company that it's claiming to be from.

The trust-worthiness of that company is still in debate... you just now know who it is you're dealing with.

MadCow.

Re:Real use of certificates...

[argent]

The only real use of a certificate is to show that the software you download is actually from the company that it's claiming to be from.

It doesn't really even tell you that much. All it does is authenticate the DNS name in the URL. In a few cases it might be possible for the certificate issuer to do more than a cursory investigation of the company name, but not routinely at the prices they have to charge to actually sell certificates.

Forensic work?

For the love of everything sacred... stop prefixing every IT activity with the term "forensics". There is nothing this guy has done that would remotely qualify as forensic work.

I'm tired of protecting the stupid

[Anita+Coney]

Seriously, anyone who clicks on crap like that deserves to get screwed! My father-in-law is one of those types. It's a compulsion. He clicks on any spam, pop-up, or banner ad no matter how many times I've told him to stop. I had to set up a very restricted user account on his computer. Essentially he's unable to download or install anything. But he's been spyware free for over a year now.

Re:I'm tired of protecting the stupid

[kalislashdot]

I have to agree. If you are stupid enough to fall for it, you deserve it. Just like seat belt laws. I wear my selt belt so I do not get killed. The law protected people who are too stupid to wear it on their own.

Re:I'm tired of protecting the stupid

[Knackered]

The problem with this is that you pay the incidental costs of the actions of the stupid; in the seatbelt case, the cost of the traffic delays, police investigations into fatalities, etc. In the spyware case, the extra bandwidth provision, the extra spam from zombies, etc.

Society cannot and should not try to protect people from all of their stupid actions, but sometimes it is necessary when their actions impede others.

Re:I'm tired of protecting the stupid

[Grishnakh]

Just like seat belt laws. I wear my selt belt so I do not get killed. The law protected people who are too stupid to wear it on their own.

There's a very serious problem with this idea: people who don't wear seatbelts don't always get killed. This is why we have seatbelt laws. Many times, when people wreck without their seatbelt fastened, they sustain terrible injuries, which means huge medical bills. Here in the USA, we have a very strange healthcare system. If you're well-off, you have insurance to pay for your healthcare. If you're not so well off, but still work for a living, but can't afford insurance, you have to pay out-of-pocket for the overpriced health care, and generally try to go without when possible. But if you're poor, and need emergency treatment that you can't afford, the rest of us all pay for it in the form of higher healthcare costs, higher insurance costs, and higher taxes. And thanks to screwy laws, the hospital isn't allowed to just put you to sleep because you were too stupid to wear a seatbelt, and now need a ventilator to live.

I support seatbelt laws, as long as other laws require heroic medical treatment for stupid people. Get rid of that requirement, and let the hospitals just put stupid people out of their misery, and then you'll have a good case for eliminating the mandatory seatbelt laws.

Re:I'm tired of protecting the stupid

[spitzak]

Actually it affects even those rich people you are talking about. Even if only rich people could afford insurance, "smart" rich people are still subsidizing the "stupid" rich people who don't wear seatbelts, because the insurance premiums rise for all of them. So even ignoring subsidized medicine, there is a benifit from seatbelt laws.

Re:I'm tired of protecting the stupid

[Grishnakh]

Yeah, that's true. The only way to make it fair for people to decide whether they want to wear their seatbelts or not is to either eliminate medical insurance, in which case the stupid people will be stuck with the bill entirely, or to set up some laws such that insurance companies can refuse to pay your treatment costs if they're a direct result of your stupidity.

I think the latter sounds like a good plan.

Re: Java?

[markdowling]

I can understand why ActiveX sites wouldn't work - but not Java!

Yeah.. but can they stop...

the The Drive-By Truckers?

Ben just had massive DDoS on his site ...

[xmas2003]

Very much related to this is the massive DDoS that Ben had on his site - peaked out at 600 MBYTES/second and also mentioned prominantly in the referenced slashdot article above. Gotta wonder if the cockroaches (aka spyware companies) are getting just a little pissed off at Ben?!?

Read my Technocrat article for more info and I also submitted to Slashdot, but it got rejected - oh well.

Re:A dumb users first experience of the internet..

[GeckoX]

How's about you stick to Gopher if you don't want anything else out of the internet? Then you could let all us 'drongos' happily consume on the "Hyper Net" tx.

There are other ways to help people.

Java or Shockwave?

[mopslik]

Most of the time they don't work either because they need java or activex, or because they are just broken.

Both ActiveX and Shockwave won't run, short of running WINE, but Java? All you have to do is download the RPMs from here.

Re:Java or Shockwave?

Oh, yeah, making Java work is trivial. It never fails to work, and it is very simple to figure out what is wrong when it does fail.

Re:Java or Shockwave?

[mopslik]

Oh, yeah, making Java work is trivial.

Generally, it is. In the case of RedHat, you just have to install the appropriate RPMs. Same for the other major desktop contender, SuSE. You did check to see that they were the correct RPMs, right? The newest RedHat RPMs are tailored for RHEL and/or Fedora, and will likely require additional updates and dependencies to run on an older RedHat 9 installation.

What sort of problems are you encountering with RedHat 9? Have you tried searching the support forums, or verifying that you are indeed using the appropriate RPM? Post some details -- Java version, RPM info, error messages -- and we'll see if this is the case. I suspect it's an easy fix, though "easy" might entail quite a bit of downloading and/or upgrading packages.

It never fails to work, and it is very simple to figure out what is wrong when it does fail.

Again, if you choose the appropriate RPMs, there should be no problems, unless you've deliberately gone out of your way to try and sabotage your machine. And, unfortunately, you've given no clues as to what types of errors are being generated by your system, so this does make it difficult to figure out what's wrong.

I suspect that you simply haven't set up the machine correctly, and are trying to blame Java for your woes.

Re: Java?

[archen]

You'd be surprised. Our company bought a product from UPS logistics that uses the Sun Java runtime but doesn't work in Firefox. (yes I'm serious). Turns out they have a bunch of IE only javascript that sends parameters to the applet, whithout the parameters it doesn't initalize. I dug around the system for like an hour trying to figure out what it was doing, but in the end just gave up. Lazy programmers will always bone you, no matter how portible something is supposed to be.

Um, how could "Click Yes To Continue" fool anyone?

[kalirion]

Do you want to install and run "ULTRA-FAST P3N!$ ENHANCER 4.3" signed on 3/27/2003 10:54 AM and distributed by:

CLICK YES TO CONTINUE

Publisher authenticity verified by VeriSign Class 3 Code Signing 2001 CA Caution: CLICK YES TO CONTINUE asserts that this content is safe. You should only install/view this content if you trust CLICK YES TO CONTINUE to make that assertion.



[] Always trust content from CLICK YES TO CONTINUE.

certificate of trust

[john_uy]

i think the main reason of issuing a certificate is validating that the company is who they say they are. now this is different from issuing a certificate to companies that you like or companies that are "good."

my analogy would be the issuance of a driver's license. a check will be done to authenticate a person and imprint the details in the id card. now, the dmv or whatever department does not check for a person (or maybe in a limited basis - since i don't live in the usa) if they have a tainted image as long as probably they don't have any police records (not sure about this.) they won't be asking your peers if you are a good and worthy person.

now what i think should be done is to create something that will validate companies based on their behavior, track record, customer service and satisfaction, etc.

Oh yea, great

[real+gumby]

Great. I really want Verisign deciding what is and is not an "obviously fake name". Aren't there already too many chokepoints under their control?

Free speech is free speech, even when jerks use it.

Re:best thing to do

[borawjm]

you were just reading bash.org weren't you?

So Let Me Get THis Straight....

[mshurpik]

What you're saying is that we should use VeriSign to certify that we are getting the correct spyware?

I think the problem is that VeriSign certificates don't do much to begin with. Let's say I get a piece of software from UltraSoft Inc. Is it spyware or not? All the certificate tells me is that it's happening.

Which is something. But certificates look official and fool newbie users into the idea that they can now make an intelligent decision. If anything, at least the fake ones make it obvious!

Re:best thing to do

What is this "goatse" of which you speak? I am just a poor goatherder, and I would be very grateful for any information that would help me take better care of my charges. Thank you.

Re:A dumb users first experience of the internet..

But you can't do this with Windows... because Windows gives you nothing, and certainly nothing from Apple, Real, Macromedia, Sun, etc... and then to compound it, Windows is an open playground for malware once downloaded.

If Windows RME were permitted to be shipped with not just alternatives and pre-configured competitor offerings for media, but also with common plugins for the web... and... maybe even Firefox to give choice... then this would do more to prevent malware spreading than Verisign being forced to change their practices.

OEMs often do this. Any computer I've purchased in the past few years has come with Shockwave and Sun Java preinstalled, and much to my chagrin, often RealPlayer as well. OEMs can't just download, install and configure, however. They need the appropriate support structure internally to handle the third-party software. They also often need agreements with the producers of the software in order to redistribute it in a commercial context.

I know you're trying to pin blame for this onto Microsoft, but Microsoft really doesn't have any say in what the OEMs do anymore.

What we need...

[Mythrix]

..is a "Verified by Slashdot" certificate.

not a user

I'm not a user so i guess i can link to them all i want.

Represent your colors!

[David+Rolfe]

West Siiiiiiiiiiii-eeeeed!!

Re:Represent your colors!

East-side Slashdot Massiv! Booyakasha!

The point is...

[davegust]

The point of certificates is to prevent impersonation of trusted sources by untrusted sources. Anyone can register a valid company name. Verisign considers proof of name a printed phone listing (they call you back at the published number) or a notarized copy of a business license.

So somebody seems to have registered a company name "Click YES to continue" in some state. It's probably a legal company name. I agree with the author that this is obviously deceptive practice, and Verisign should revoke the certificate revoked. In addition, we should be able to complain to Verisign about other companies violating the Verisign agreement.

I don't know what they do if the company name is a duplicate of another previously registered name.

Re:best thing to do

[42forty-two42]

Here's the original: "i'm going to become rich and famous after i invent a device that allows you to stab people in the face over the internet" Not sure who said it though...

Re:Um, how could "Click Yes To Continue" fool anyo

[JaffaKREE]

Because in the quarter-second they actually have the diaog box up, they see : blahblah CLICK YES TO CONTINUE Publisher blah blah

DARE

[bleckywelcky]

Our DARE officer from back in elementary school said it best: Just Say No.

Re:best thing to do

If in doubt, go to the source

It's about trust

[budgenator]

Verisign's main corporate asset is trust, the entire certificate business is centered arround that trust. What we have to trust is that Verisign has in place an effective mechanism to insure that entities are in fact who they say they are and is applying that mechanism effectivly. It appears that Verisign is not effectivley applying that mechanism, and are wasting their most important asset. For quite a while I've suspected that a Verisign cert only meant that some paperwork was filled out and a check cashed.

Personaly I don't care if Tony Suprano is doing it as long as he insures the entities are who they say they are and is actually enforcing the contract.Tony might be better, the dirtbags are less likely to jerk him arround.

Legal issues?

[rsilvergun]

I suppose it would be a pain to fairly and legally distinguish between a drive by downloader and, say, Macromedia. Especially such that companies in the grey area (weatherbug, yeah, I hate them too, but they seem more or less legit these days). What do you do when the company 'CLICK YES TO CONTINUE' sues you. Silly, I know, but what if you're company's called 'My IE enhancements'. I say that's a drive-by, it's it's legit sounding enough for a real company to maybe be behind it.

To stop those instinctive impulses to press Yes...

[AKosygin]

Maybe we should make the FireFox browser invert the question and say "Are you sure you do not want to run this signed application?"

That way, when users instinctively just press "Yes" it will just go away and not install.

Verisign do the Right Thing?

[DSP_Geek]

Surely you jest. They're still trying to hijack DNS, using the NetSol domain lookup page a couple of years ago meant the name got hijacked within 48 hours, and AFAIK NetSol is still screwing people on domain transfers to other registrars.

The above weren't isolated instances, but happened often enough to show that's the way NetSol, and by extension VeriSign, do business.

Re:A dumb users first experience of the internet..

[WebCrapper]

Sorry I've gone half tilt Amish on the idiots of the internet. If you can't get your message over to me using plain old HTML and static images you can stick your message up your arse.

I agree with this mentality. While I haven't killed flash for my browsing experience, I can't stand the sites that use MonsterTemplate.com or something like them with their repeating flash toppers that are just like the html blink tag. If I'm reading a page, the last thing I want to catch my attention is the topper that is just whisps our blinking blocks.

On a very rare occasion, I may design something in Flash, but I ALWAYS export it as a GIF movie and never let it repeat. While flashy (no pun intended) are neat, they are not always needed.

Re:A dumb users first experience of the internet..

[raehl]

Personally I can't wait 'til someone invents some sort of uber bandwidth media-tastic bright & shiny "Hyper Net" (now with unbrakabul DRM (tm)). Then all the drongos can go and happily consume on it whilst leaving the rest of us with our "good old" internet.

We call it Usenet. We're glad the drongos have moved on to places like Slashdot.

Not exactly...

[raehl]

the problem is literacy and common sense, something that many people seem to lose the minute they touch a computer.

They never had it in the first place. It's just more noticable when you let them touch a computer instead of, say, just allowing them to watch TV.

Better colours

http://shit.slashdot.org/article.pl?sid=05/02/14/0 149211

Web of trust, anyone?

[karlandtanya]

Do you understand what a certificate does?

It's one person (verisign) vouching for the other person (purchaser of the cert).

If you don't trust the both the good will and competence of the one person, then what they have to say about the other person's is meaningless.

I'm hoping verisign will screw this up so royally that people begin to understand that they can get *exactly* the same security by either:

A. Ignonring certificates altogether.

B. Using other tools to build a web of trust within your working group.

VeriSign is Worthless

[Diablo1399]

If all it can do is provide a reasonable guarantee that a particular piece of software comes from a given company, what's the point??? I want a reliable guarantee that the software contains no malicious code or adware -- until VeriSign can do that, all they're providing is a false sense of security.

bonzer buddy?

[Eric+S+Raymond]

"bonzer's not my buddy"
its bonzi buddy stupid

Sounds like a call for a Class Action Lawsuit

Let's see:

VeriSign has made every effort to develop a reputation worthy of trust. VeriSign's client agreement says that the clients should not be perpetrating such deceptions. It should be obvious[*] to VeriSign that some of these product names are blatant attempts at deception.

Sounds to me like VeriSign is ripe for a class action lawsuit, filed on behalf of everyone who has ever been victimized by one of these deceptions.

You know, I used to be wholly of the opinion that there is too much litigaion, too many class action lawsuits. And I think there probably are. But this is an example of why I think tort reform must be handled carefully: VeriSign is clearly being negligent in not performing a basic level of vetting ad validation, a level that is far below what it seeks to establish as the level of trust by which it is worthy.

If I am selling apples, I am responsible for ensuring that there are not too many rotten apples in what I sell.

If you seek to sell trust, you must be willing to defend your own trustworthiness.

([*]Even if the release of new signatures is fully automated, thhis does not release VeriSign from the obligation to perform some minimal level of checking. E.g. I think that they would be obligated to have a list of words or phrases not allowed in the company or product name, and a mechanism for updating such a list when a new deception is uncovered.)

For the folks who say that they are tired of protecting stupid people: Caveat Emptor went out with the Romans. English Law, the law that the US and similar countries lives by, assumes and requires basic standards of behavior.

Remember Drive By Long Distance Phone Service?

[CodeBuster]

After reading the article I was reminded of the common practice in the late 1980s and early 1990s, before cell phones were nearly as common as they are now, of people registering long distance phone companies with names like "it doesn't matter" and "makes no difference" so that when an unsuspecting pay phone user, at an airport say after a long flight, was asked which long distance company's services they wanted they would get stuck with one of these unscrupulous operators who would then proceed to charge them out the nose, ~$5.00+ per minute, for the call (especially on those card phones which took credit).

I call bollocks.

VeriSign's main corporate assets are having their roots hardcoded into browsers and owning the .com registry. I've applied for more than one VeriSign Class 3 certificate, I know people who work there, and I know what kind of Charlie Foxtrot their operation is. In fact, a while back they even got hoodwinked into issuing certificates in Microsoft's name to someone else entirely, which led to a rather embarrassed addition to the CRL a couple of weeks later.

Unfortunately, at VeriSign, The Value of Trust(tm) is whatever you're willing to pay.