Slashdot Mirror
How VeriSign Could Stop Drive-By Downloads
emcron writes "Ben Edelman has been doing great forensic work looking at spyware, adware, and malware. His latest piece, How VeriSign Could Stop Drive-By Downloads, turns the harsh light of public scrutiny on VeriSign's grubby practices in issuing digital certificates to vendors who try to install spyware by tricking users into clicking 'yes' with low-down dirty lying dialog boxes. Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."
I remember after digging around in the MMC seeing somewhere that Verisign is not only trusted by IE, but XP itself!
There's a copy of their public certificate on your machine - that's how IE can tell if it really was Verisign that signed it.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Seriously. It blows my mind that I can create a site that can make a dialogue box pop up that when the user clicks "yes" can install software. Verisign can't be blamed for that mess. ActiveX, on the other hand, can. Here's how MY browser works: It displays webpages. If I want software, I download it to my desktop. I then choose to open it or delete it. No ActiveX, no auto-launcing/auto-installing/etc bs. What's so hard about that?
Quid festinatio swallonis est aetherfuga inonusti?
Africus aut Europaeus?
Granted, but thats a pretty fine point to explain to, say, my roommates who regularly start bitching about their computer acting "weird."
"Well, that certificate thing popped up so I thought it was safe..."
So every couple weeks I go in and do the electronic enema for them.
Send whiskey and fresh horses!
This is the point - this means that if, just by accident, it turns out that the given software performs illegal actions, uses your computer to store kiddie porn or starts to send spam to .gov or .mil adresses, verisign can track the body it issued sertificate to and hold it accountable.
And it has nothing to do with actual quality of software it has signed.
Indeed.
Basically a certificate signed by Verisign is just that and only that. It's a certificate signed by Verisign. It doesn't say anything about the person or company presenting the certificate, their partners, business practices, history, ethics or ANYTHING ELSE. The only thing it's safe to assume is that someone fed Verisign a (probably valid) credit card number and they received a signed certificate (which you're looking at). That's it. End of story.
For some reason people see the words 'signed' and 'certificate' and assume there's some automagic security haze covering everthing and they get really upset when this turns out not to be the case.
When people start blathering 'Oh, but I just assumed...' remind them that assumption is the mother of all fsckups and they really should have learned that lesson by now.
I don't agree. This is partially an issue with business names themselves. If we were talking proper names, e.g. John Smith (the individual), a man who writes spammy spyware for a living, and the cert say his name is John Smith, then yes, it's authenticating him (and his software) as being the person he says he is.
Unfortunately, a person can game this system by choosing any business name they like. "CLICK HERE TO INSTALL" is not a legitimate name, not even a legitimate business name... I seriously doubt it's a registered or incorporated business name, and even if it is, it's done only so they can get a certificate with the same name. How can you authenticate them with a bullshit name? Authentication means proving who they are, which this isn't doing at all. And I don't mean to be ultra-picky, but if you couldn't get a driver's license with the name, or open a bank account with it, you probably shouldn't be able to get a certificate with that name.