Slashdot Mirror
How VeriSign Could Stop Drive-By Downloads
emcron writes "Ben Edelman has been doing great forensic work looking at spyware, adware, and malware. His latest piece, How VeriSign Could Stop Drive-By Downloads, turns the harsh light of public scrutiny on VeriSign's grubby practices in issuing digital certificates to vendors who try to install spyware by tricking users into clicking 'yes' with low-down dirty lying dialog boxes. Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."
Not to mention the debarcle over punycode domains and Verisign not following RFC security guidelines to normalise domains before they allow them to be issued, seems they have a lot of fingers in a lot of pies at present to gain a lot of money from a lot of dubious practises....
That doesn't mitigate Verisign awarding certificates from bogus companies.
Its possible to have your Internet Explorer set to accept properly certified code, so in some cases the user doesn't even look.
I remember after digging around in the MMC seeing somewhere that Verisign is not only trusted by IE, but XP itself!
There's a copy of their public certificate on your machine - that's how IE can tell if it really was Verisign that signed it.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Either that or they face the "threat" that more and more people switch over to Firefox which doesn't use ActiveX at all which in turn means less activex certification profits?
Ive had a couple drive-bys in firefox. Malicous Java scripts, no signing needed.
Fortunatly enough my AV caught them and kept them from spreading, but firefox died and had to be restarted.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Seriously. It blows my mind that I can create a site that can make a dialogue box pop up that when the user clicks "yes" can install software. Verisign can't be blamed for that mess. ActiveX, on the other hand, can. Here's how MY browser works: It displays webpages. If I want software, I download it to my desktop. I then choose to open it or delete it. No ActiveX, no auto-launcing/auto-installing/etc bs. What's so hard about that?
Quid festinatio swallonis est aetherfuga inonusti?
Africus aut Europaeus?
Granted, but thats a pretty fine point to explain to, say, my roommates who regularly start bitching about their computer acting "weird."
"Well, that certificate thing popped up so I thought it was safe..."
So every couple weeks I go in and do the electronic enema for them.
Send whiskey and fresh horses!
This is the point - this means that if, just by accident, it turns out that the given software performs illegal actions, uses your computer to store kiddie porn or starts to send spam to .gov or .mil adresses, verisign can track the body it issued sertificate to and hold it accountable.
And it has nothing to do with actual quality of software it has signed.
Indeed.
Basically a certificate signed by Verisign is just that and only that. It's a certificate signed by Verisign. It doesn't say anything about the person or company presenting the certificate, their partners, business practices, history, ethics or ANYTHING ELSE. The only thing it's safe to assume is that someone fed Verisign a (probably valid) credit card number and they received a signed certificate (which you're looking at). That's it. End of story.
For some reason people see the words 'signed' and 'certificate' and assume there's some automagic security haze covering everthing and they get really upset when this turns out not to be the case.
When people start blathering 'Oh, but I just assumed...' remind them that assumption is the mother of all fsckups and they really should have learned that lesson by now.
So if someone says that they are downloading Firefox, they can just get a certificate, say it's from the "Firefox Foundation" (a mythical yet believable organization) downloading a program called "Firefox Browser", and most people would click yes. This defeats the whole purpose of having certificates to prove the content is from who it claims to be, when you can just lie about it!
Why hasn't this company been banned from having anything to do with the Internet?
Time and time again it gets busted doing crap like the SiteFinder fiasco and still they get away with it.
Software should NEVER be allowed to install itself! I'm sure some genius at MS thought it would be a great way to lure developers into using ActiveX instead of Java.
The proper behavior would be to have a user find a download, click the download to put it somewhere on the hard drive, then have the user "double-click" the file to install the software. This would totally prevent drive-by downloads.
-ted
Firefox should have a mechanism to assign different levels of trust to CAs - http://www.openca.org/openca/ would have a higher level and VeriSign a lower level.
This could be changed by the end user, though.
When the user gets presented with a dialog box, Firefox would suggest the user to not trust VeriSign-signed sites.
The "VeriSign penalty" could be adjusted in each new release based on their willingness to ge their shit together. Fuckos.
Now controls are unarguably the bigger danger, but that does not excuse the weak security defaults that Firefox uses for extensions. A user can install any extension without a clue as to who wrote it, or even if it was tampered with. The default policy should be accept signed extensions and not accept unsigned ones at all. If people want to change that preference, that's their own business, but secure by default should still be the order of the day.
I don't agree. This is partially an issue with business names themselves. If we were talking proper names, e.g. John Smith (the individual), a man who writes spammy spyware for a living, and the cert say his name is John Smith, then yes, it's authenticating him (and his software) as being the person he says he is.
Unfortunately, a person can game this system by choosing any business name they like. "CLICK HERE TO INSTALL" is not a legitimate name, not even a legitimate business name... I seriously doubt it's a registered or incorporated business name, and even if it is, it's done only so they can get a certificate with the same name. How can you authenticate them with a bullshit name? Authentication means proving who they are, which this isn't doing at all. And I don't mean to be ultra-picky, but if you couldn't get a driver's license with the name, or open a bank account with it, you probably shouldn't be able to get a certificate with that name.
Seriously, anyone who clicks on crap like that deserves to get screwed! My father-in-law is one of those types. It's a compulsion. He clicks on any spam, pop-up, or banner ad no matter how many times I've told him to stop. I had to set up a very restricted user account on his computer. Essentially he's unable to download or install anything. But he's been spyware free for over a year now.
If someone says he and his monkey have nothing to hide, they almost certainly do.
This boggles my mind too. I've renewed the same server certificates for years and some code certs, it's a royal PITA. Every year they manage to throw a wrench in the process somehow, oh.. this obscure peice of data we got from this place doesn't exactly match your company's street address or we called once at 3am and no one answered.
I'm amazed anyone can get through all that with bogus information. You'd think that someone with that kind of determination could be doing something better with their skills.
Do you want to install and run "ULTRA-FAST P3N!$ ENHANCER 4.3" signed on 3/27/2003 10:54 AM and distributed by:
CLICK YES TO CONTINUE
Publisher authenticity verified by VeriSign Class 3 Code Signing 2001 CA Caution: CLICK YES TO CONTINUE asserts that this content is safe. You should only install/view this content if you trust CLICK YES TO CONTINUE to make that assertion.
[] Always trust content from CLICK YES TO CONTINUE.
TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
After reading the article I was reminded of the common practice in the late 1980s and early 1990s, before cell phones were nearly as common as they are now, of people registering long distance phone companies with names like "it doesn't matter" and "makes no difference" so that when an unsuspecting pay phone user, at an airport say after a long flight, was asked which long distance company's services they wanted they would get stuck with one of these unscrupulous operators who would then proceed to charge them out the nose, ~$5.00+ per minute, for the call (especially on those card phones which took credit).