Slashdot Mirror
How VeriSign Could Stop Drive-By Downloads
emcron writes "Ben Edelman has been doing great forensic work looking at spyware, adware, and malware. His latest piece, How VeriSign Could Stop Drive-By Downloads, turns the harsh light of public scrutiny on VeriSign's grubby practices in issuing digital certificates to vendors who try to install spyware by tricking users into clicking 'yes' with low-down dirty lying dialog boxes. Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."
After the whole debacle with the DNS somehow i don't see Verisign prioritize ethics over profit any time soon
If an experiment works, something has gone wrong.
Ever tried removing these certificates out of MS IE on winXP, they buggers just keep getting downloaded and reinstalled and so far I don't know any way to disable this "feature"
I know what you mean about never clicking "OK" or "YES" buttons, hell I won't even click "NO". Ok, so it's not so much a problem these days what with the OSX and the Mac but at the end of my Windows "experience" I simply decided that nothing that popped up could be trusted. I got the idea in my head that even the "NO" button was a lie.
My own saving grace (I think) was that I got in the habit of always going down to the taskbar and doing the "right-click, close" bit.
Education is the ticket but man, I question whether or not some of these people can be educated. I've been at this for over a decade in the same job, supporting the same people and the people I've been trying to teach continue to step on the landmines. Sure from time to time there's a success story or two with my users but for the most part the ones who are going to screw up continue to screw up.
Appended to the end of comments you post. 120 chars.
Unchecking it prevents IE from offering to download IE language packs when you visit a website you cannot view with currently installed languages. Nothing more. If you have all the languages you can read installed already, then you probably won't want this checked.
the point of a certificate is NOT to verify that the company/person is a trustworthy company/person
it's to verify that the software is FROM the person/company on the certificate
certificates verify identification/authentication -- they are NOT an indication of trustyworthy software, nor are they supposed to be.
the problem is literacy and common sense, something that many people seem to lose the minute they touch a computer.
Obviously, nothing happened afterwards.
Obviosly 90% of the people posting in this discussion have no practical experience with this subject. The certificate in question is a code-signing certificate. Have you ever bought (or tried to buy) one of those from Verisign? I have and let me tell you--it is a royal pain in the ass. I can say with almost certainty that those certificates that are from a company called "CLICK YES TO CONTINUE" did not come from Verisign.
/. ignorance.
It took me nearly two weeks to track down all the paperwork to get my code signing certificate (authenticode). The process includes designating two contacts, faxing over several forms (including a valid county business license for the company name on the application) and a notorized agreement of indemification because they weren't able to do 3rd party identity validation on my company (they look your company name up in the white pages and call the number to make sure it exists and that you do indeed work there. My company wasn't in the phone book.) They also try to look you up in D&B. This all came after giving them the $500 for the certificate.
That being said, I don't see how anyone could get away with purchasing a certificate such as described in the article from Verisign--maybe Thawte or another. IMO Verisign is taking some flak here due to
Verisign is not only trusted by IE, but XP itself!
Verisign is recognized as an authorized certificate authority because Windows has a central certificate store that can be used for a wide variety of applications (much more than just browsing the web). This sort of seems like a logical, good design way of doing it (rather than each app having an island of certificates).
The root certificates that you are speaking of, which you can find in the MMC snap-in Certificates, have specific uses that they are allowed for. There are several Verisign certificates, including one used to validate Verisign issued email signing certificates, another general purpose one for code signing (which can be pervasive in Windows if you desire) and client certificates, and so on. By themselves they don't allow Verisign to ownz your machine, but rather allow you to use Verisign issued certificates in a whole trust infrastructure.
The only real use of a certificate is to show that the software you download is actually from the company that it's claiming to be from.
The trust-worthiness of that company is still in debate... you just now know who it is you're dealing with.
MadCow.
I used to have a sig, but I set it free and it never came back.
Part of Apple's Human Interface Guidelines is to avoid buttons that say "Okay" or "Yes." Buttons should have verbs in them telling the user what's going to happen. So, on a Mac, it says "Install" instead of "Okay." So you can be sure what's going to happen when you click it. Quite handy.
You have two hands and one brain, so always code twice as much as you think!
The point of certificates is to prevent impersonation of trusted sources by untrusted sources. Anyone can register a valid company name. Verisign considers proof of name a printed phone listing (they call you back at the published number) or a notarized copy of a business license.
So somebody seems to have registered a company name "Click YES to continue" in some state. It's probably a legal company name. I agree with the author that this is obviously deceptive practice, and Verisign should revoke the certificate revoked. In addition, we should be able to complain to Verisign about other companies violating the Verisign agreement.
I don't know what they do if the company name is a duplicate of another previously registered name.