How VeriSign Could Stop Drive-By Downloads

emcron writes "Ben Edelman has been doing great forensic work looking at spyware, adware, and malware. His latest piece, How VeriSign Could Stop Drive-By Downloads, turns the harsh light of public scrutiny on VeriSign's grubby practices in issuing digital certificates to vendors who try to install spyware by tricking users into clicking 'yes' with low-down dirty lying dialog boxes. Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."

Meanwhile

[cynix.org]

The beauty of certificates is, you decide who you trust. If you object to VeriSign's practice of issuing certificates to spyware/adware makers, simply don't choose to trust VeriSign's root certificate. This is only a temporary measure, I guess.

Re:Meanwhile

[insert_username_here]

So you expect an clueless computer user, who's just learning about this interweb, to understand the importance of trust when downloading software?

Even ignoring people who've never used a computer before, a lot of people are, unfortunately, very trustworthy.

Having partly software-verifiable certificates (i.e. signed by Verisign instead of self-signed) goes a long way to helping a browser tell a user whether or not they should be able to trust this mysterious "gator.exe" (of course, people will always find ways around it).

Re:Meanwhile

[strider44]

Tell me then, what's the point of having a certificate when you can get it under any name you want, for any (possibly) malicious piece of software? If it doesn't give any indication of being trust worthy at all then it's absolutely worthless!

It's ironic that a Microsoft representative a little while ago criticising Firefox not paying for a certificate for the download. What is to stop someone registering "Firefox Browser" or "Click Yes to Download" instead? Certificates when they are so easily abused like this are only detremental - they create a fake level of trust.

Re:Meanwhile

[elgaard]

It would help Joe Sixpack if he used a browser that did not trust the VeriSign CA per default.

Re:Meanwhile

Aside from the enormous inconvience actually practicing this with high security settings.

If Versign is making certain claims about their trust worthiness, and that of the people they certify, they should be held accountable when those claims are demonstratibly false. They're lying for money. No it might not be the end users money, but it's their time that's being stolen, and Verisign is doing it for money. And while there certainly is some wisdom in being a wary buyer, I think their is something to be said for forcing people to keep their promises to the larger marketplace. "Oh, they're rich, it's good for their business.", doesn't exactly put me in a benefit of the doubt kind of mood.

Re:Meanwhile

[sbryant]

Yes well, that doesn't help Joe Sixpack who reads "CLICK YES TO CONTINUE" and does it.

At least he read it! I know plenty of people who will just click OK without even looking at what they're agreeing to.

The trouble is that lots of people don't understand what is being asked of them (so many give up reading at all). Signed certificate? While I could explain what it is, how do you teach people to be able to choose the good from the bad? Some are definately not so easy to spot.

Ol' Joe should be more distrusting of these things, but isn't.

-- Steve

Re:Meanwhile

[Dolda2000]

What you seem to be missing is the fact that certificates are meant for authentication, not authorization. While it would most likely help if VeriSign wouldn't issue certificates to dubious software vendors, that would be as much abuse of the technology as the idea of setting "sex bits" on IP packets to indicate sexual content.

Thus, authentication already works the way it should. This is not a case where I should say "don't fix what already works", but rather "don't break that which works". Instead, work should be done on the authorization part. I have no suggestion as to how authorization should be fixed, but at least authentication shouldn't be broken just to get an ad-hoc fix to authorization.

Re:Meanwhile

[sl4shd0rk]

> they create a fake level of trust.
Yes, but they generate a *huge* volume of capital and this is what drives the interweb now.

Re:Meanwhile

[Raphael]

So if someone says that they are downloading Firefox, they can just get a certificate, say it's from the "Firefox Foundation" (a mythical yet believable organization) downloading a program called "Firefox Browser", and most people would click yes.

Right. This is one of the things that the article was complaining about. Unfortunately, there is no easy way to prevent that kind of scams: Verisign could check for obvious stuff such as "CLICK YES..." but it would be had for them or for anyone else to check for names that are similar to the names of companies or individuals all over the world.

This defeats the whole purpose of having certificates to prove the content is from who it claims to be, when you can just lie about it!

If you accept all certificates blindly, then yes. If you pay a bit more attention, then no. You should only trust the certificates for the level of security that they provide, not more.

Once you have determined that a certificate is good, you can choose to let your software remember that decision so that you do not have to check it again the next time you see it.

Re:Meanwhile

[SiChemist]

But the point of the article was that Verisign was not enforcing its own rules. Some of the company names on the certificates were FAKED. In that instance you can't verify who the software is FROM in any meaningful way.

At least part of the problem is that Verisign is unwilling to make even the smallest effort to end trickery using its service.

Re:Meanwhile

[kawika]

Verisign charges $400 for a code signing certificate. It doesn't appear they do anywhere near $400 worth of work at the moment. Even if it's true that catching scam names in advance is hard, revoking them should be easy. The "Click YES to continue" cert is still valid, and I can assure you that Verisign is quite aware of it.

Re:Meanwhile

Agreed. For much less that $400, I can open a bank account. The bank takes reasonable measures to be sure that I am who I say I am or that I actually represent the business I'm claiming to represent. No reason Verisign couldn't do the same thing.

Yes, but

[unkaggregate]

what happens when they stop using such blatantly obvious names and go with more subtle made-up names?

Heck, what if they start using a thesarus to pick complicated sound names that sound cool?

Re:Yes, but

[TLLOTS]

While I expect you're correct in your assumptions about what peopla attempting to abuse this would do, shouldn't VeriSign still perform some verification of the companies details given and ensure that if false information is given, that they can somehow contact the person who brought in the application for the certificate.

After all, if there's no real verification done then what good are these? It seems like they're more $200 - $600 licenses to trick users into donwloading your spyware.

That would slow things down

[tjlsmith]

And since the purpose of opportunistic companies like Verisign, who's keys are no better than anyone else's, is to make as much doe ray me as fast as possible, why are they going to do this?

Re:That would slow things down

[Shano]

I would assume, since they're one of the bigger companies out there, that they think it will make them look good. If they don't crack down on the fraudsters, there's a risk that people will stop trusting Verisign. In which case, no more profits for them.

Sounds logical but...

[nuclear305]

I can't deny that VeriSign should be doing a better job with stuff like this, but I certainly don't believe in the claim that by taking their certs away that drive-by downloads will cuddenly stop.

The real problem is the fact that nobody bothers to read the window that has just popped up in front of them. I'm guilty of this myself, there have been times I've not even recognized a problem with certs on my own servers the first few times clicking through.

My saving grace is that I never ever click an OK or YES button unless I'm expecting one. That simple rule has kept me from ever having anything installed using this method. The problem is that not everyone understands that they should not agree to every popup window they see. It's not going to matter if it claims to be authorized by God himself; if it has a YES/NO/CANCEL option and the user is not security-aware the person will probably say yes. I think educating people would be more effetive than trying to get the CAs to revoke the certificates.

I'm sure there will be plenty of the "Use FireFox, Problem Solved!" comments as well. I have experienced, rarely, where a drive-by site is impossible to say "no" to when under Firefox and eventually crashed the browser but IE under SP2 handled itself very well on the same page.

Re:Sounds logical but...

[ZiZ]

I'm sure there will be plenty of the "Use FireFox, Problem Solved!" comments as well. I have experienced, rarely, where a drive-by site is impossible to say "no" to when under Firefox and eventually crashed the browser but IE under SP2 handled itself very well on the same page. Right, IE just calmly and quietly installs the software for you if you're not computer-savvy enough to say 'yes' to the dialog box to start with. ;) Seriously, though, I think that the /possibility/ of letting computers auto-install software that doesn't /directly/ come from a company that you've already approved - that is, Microsoft updates for Windows, Mozilla Foundation updates for Mozilla or Firefox, Adobe updates for Photoshop - causes more problems than it reduces headaches. Make people go through extra steps if they want to install FREE PR0N EXPAND YOUR PENIS NOW or A COOL SCREENSAVER FOR YOU, since computers have long been training your average user to just say 'ok' to any dialog box that pops up.

VeriSign doesn't love us.

Help us for "free"?

Remember the DNS hijack? They wouldn't back down untill they were sued and threatned repeatedly.

Why was this allowed before?

[millwall]

How come they only just now start to question companies with names such as "CLICK YES TO CONTINUE"?

It's so basic that it's sad that they now issue this press release trying to make them look like good guys, even though it's so obvious and should have been looked into much earlier.

Re:Stupid User Factor...

[KinkyClown]

Just let Darwin sort it out.

Right. And until that time we will have to deal with a few million zompies that spam us? Not really a good option.

We should try to educate the users that are unaware to these problems. Just like I am constantly helping my parents and friends. They would never OK such a certificate because I tolled them that it could be spyware, etc.

An idea but in practice...

[portwojc]

That requires VeriSign to actually do something and cuts into their profits.

Look at the mess known as the domain registry and how much junk information is found in there. I'm sure the license for the SSL has the same requirements (and no teeth) just like the DNS registry does.

Trust is an easily broken thing

[Gareth+Saxby]

Too often do I trust the wrong sites, with owneres that I personally know myself, to then be bogged down with spyware alerts on my computer. I'm amazed at what Verisign has done in the first place, it makes them seem more concerned about earning money than security over malicious applications and code.

The very cheek of it all, is that the main marketing technique on their website is to talk about security. I think if they were going to clean up their act, they would have done it a long time ago. No hope for some people.

Why should Verisign oblige?

[littlem]

Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."

Come on! Verisign's whole business model is to sell as many certificates as it can - it's simply not in their interests to show scruples like that. Verisign have the MicroSoft seal of approval, so for the average desktop user that makes their reputation beyond suspicion, so they have nothing to lose.

Re:Verisign is not at fault.

[MichaelSmith]

Here's how MY browser works: It displays webpages

My Sister-in-law runs redhat 9 (because I installed the system)

She tells me that she often goes to sites which offer games which she (or her son) would like to run. Most of the time they don't work either because they need java or activex, or because they are just broken

Either way it is my fault for giving her a PC which doesn't do all these things

You and I have reasonable expectations about technology. The person in the street has different expectations and they drive the market

A dumb users first experience of the internet...

[buro9]

...is to trust everyone.

They have to.

Every site that they visit will have embedded Flash, embedded Java, embedded QuickTime, embedded Real, embedded midi (FFS!).

They are taught on their first few days to trust everyone, and that nothing that they want to achieve can be done without trusting that the site is legit in asking you to download and install stuff.

And when they speak to their geek friends (or friends of their kids), they get told dismissively and condescendingly that YES, they must install to see the site properly, to do what they want. You can bet that they won't ask a second time!

Is it really a surprise then, that we have a problem later with dumb users downloading spyware, adware, and malware in general?

The problem could be much alleviated by simply pre-installing all of the key technologies in advance.

Some Linux distros do this... my mother knew from the first moment she used Simply Mepis that she didn't need to download anything else... I told her this, and because nearly all of her sites worked (just not pogo.com) she hasn't downloaded anything else.

But you can't do this with Windows... because Windows gives you nothing, and certainly nothing from Apple, Real, Macromedia, Sun, etc... and then to compound it, Windows is an open playground for malware once downloaded.

If Windows RME were permitted to be shipped with not just alternatives and pre-configured competitor offerings for media, but also with common plugins for the web... and... maybe even Firefox to give choice... then this would do more to prevent malware spreading than Verisign being forced to change their practices.

Of course... hell would freeze over, pigs would fly, and the Bush would have an epiphany on social welfare before all of the above happened.

brilliantly myopic

[tverbeek]

The fact that the author is suggesting that Verisign do this points out why it's such a bad idea, a cure worse than the disease. Who here trusts Verisign? So why should we make them (or even let them become) arbiters of whom to trust?

Teaching individual users to be more informed and responsible about whom they trust may be difficult, but it's better than entrusting a private, unaccountable, quasi-monopoly (let alone one with a history of un-trust-worthy behaviour) with that decision.

Re:A dumb users first experience of the internet..

[TractorBarry]

> And when they speak to their geek friends (or
> friends of their kids), they get told dismissively
> and condescendingly that YES, they must install to > see the site properly, to do what they want. You
> can bet that they won't ask a second time!

Not this geek friend. I tell people not to trust anyone on the internet and to never download any crappy plugins as 90% of them will simply be used for serving up intrusive advertising. And if the site doesn't work without their plugins them go elsewhere.

After I've removed the first load of spyware and repeated the advice they usually listen. If not they don't get a second visit from me. I just point them to the internet and say "You're not interested in my advice so you can fix things yourself".

Sorry I've gone half tilt Amish on the idiots of the internet. If you can't get your message over to me using plain old HTML and static images you can stick your message up your arse.

The internet is not digital TV.

Personally I can't wait 'til someone invents some sort of uber bandwidth media-tastic bright & shiny "Hyper Net" (now with unbrakabul DRM (tm)). Then all the drongos can go and happily consume on it whilst leaving the rest of us with our "good old" internet.

Plugins ? I spit on you all.

Quit treating certificates as indications of trust

[argent]

The other solution is to quit treating digital certificates as something to do with trust (the authorization-vs-authentication fallacy). Microsoft's stupid "security zones" model takes this blatant idiocy further than anyone, but all browsers have adopted some similar conceptual structure.

A certificate doesn't tell you anything about whether a web site is secure, trustable, or anything else. It simply provides a slightly better verification of identity.

Why do people just click OK? Because of the OS.

[ianscot]

I know plenty of people who will just click OK without even looking at what they're agreeing to.

Which should tell us there's a bigger problem here than whether Verisign is, in the fashion of the AKC, turning a blind eye to puppymillers who'll pay for registration papers.

If users have been conditioned to routinely say "yes" or "OK" to anything they see, it's partly because the APIs they deal with all day long encourage the writing of bad, unintelligible dialogs. Anyone who's ever waded through the "Yes No Help" dialog box when saving to a .csv file from Excel knows this problem. That one's unreal: they give us a bulleted list in the dialog that basically translates the buttons.

It's no accident that tons of the spyware pop-ups out there look like Windows dialog boxes. People are so used to clicking through horribly-written dialogs that they don't pay any attention. A better set of API default dialog types would nudge everyone, programmers and users, in the direction of actually readable dialogs that mean something.

Re: Java?

[archen]

You'd be surprised. Our company bought a product from UPS logistics that uses the Sun Java runtime but doesn't work in Firefox. (yes I'm serious). Turns out they have a bunch of IE only javascript that sends parameters to the applet, whithout the parameters it doesn't initalize. I dug around the system for like an hour trying to figure out what it was doing, but in the end just gave up. Lazy programmers will always bone you, no matter how portible something is supposed to be.

It's about trust

[budgenator]

Verisign's main corporate asset is trust, the entire certificate business is centered arround that trust. What we have to trust is that Verisign has in place an effective mechanism to insure that entities are in fact who they say they are and is applying that mechanism effectivly. It appears that Verisign is not effectivley applying that mechanism, and are wasting their most important asset. For quite a while I've suspected that a Verisign cert only meant that some paperwork was filled out and a check cashed.

Personaly I don't care if Tony Suprano is doing it as long as he insures the entities are who they say they are and is actually enforcing the contract.Tony might be better, the dirtbags are less likely to jerk him arround.