Slashdot Mirror

← Back to Stories (view on slashdot.org)

How VeriSign Could Stop Drive-By Downloads

Posted by Zonk on from the bonzer's-not-my-buddy dept.

emcron writes "Ben Edelman has been doing great forensic work looking at spyware, adware, and malware. His latest piece, How VeriSign Could Stop Drive-By Downloads, turns the harsh light of public scrutiny on VeriSign's grubby practices in issuing digital certificates to vendors who try to install spyware by tricking users into clicking 'yes' with low-down dirty lying dialog boxes. Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."

2 of 229 comments (clear)

  1. Re:Meanwhile by DarkTempes · · Score: 5, Informative

    the point of a certificate is NOT to verify that the company/person is a trustworthy company/person

    it's to verify that the software is FROM the person/company on the certificate

    certificates verify identification/authentication -- they are NOT an indication of trustyworthy software, nor are they supposed to be.

    the problem is literacy and common sense, something that many people seem to lose the minute they touch a computer.

  2. The answer by tinus · · Score: 5, Informative
    This is what Verisign answered when I asked them the same question last year (and then refused the stupid automated reply):
    In response to your email, when this company submitted their request for a
    digital certificate, we followed our standard authenticiation &
    verification policies to make sure of the following:

    1. That the company, Click Yes To Continue, is indeed a legitimate company
    and has the right to conduct business under this company name, which was
    confirmed using an online, 3rd party web site for validating companies
    located in Canada.
    and
    2. Received a valid phone bill from the company, in which we used to call
    the company back & confirm the order.

    Please note that when a company obtaina code signing certificate, we DO NOT
    validate their code, as the customer has to agree to our certificate
    policies before even submitting their requets online.

    Therefore, we did not issue a certificate to a 'fake company'. However, we
    will forward your email to our internal security department and Verisign
    Lawyers to see if this company is indeed distributing fraudulent code using
    a certificate obtained through Verisign.

    Obviously, nothing happened afterwards.