Slashdot Mirror
How VeriSign Could Stop Drive-By Downloads
emcron writes "Ben Edelman has been doing great forensic work looking at spyware, adware, and malware. His latest piece, How VeriSign Could Stop Drive-By Downloads, turns the harsh light of public scrutiny on VeriSign's grubby practices in issuing digital certificates to vendors who try to install spyware by tricking users into clicking 'yes' with low-down dirty lying dialog boxes. Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."
I remember after digging around in the MMC seeing somewhere that Verisign is not only trusted by IE, but XP itself!
There's a copy of their public certificate on your machine - that's how IE can tell if it really was Verisign that signed it.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
I don't agree. This is partially an issue with business names themselves. If we were talking proper names, e.g. John Smith (the individual), a man who writes spammy spyware for a living, and the cert say his name is John Smith, then yes, it's authenticating him (and his software) as being the person he says he is.
Unfortunately, a person can game this system by choosing any business name they like. "CLICK HERE TO INSTALL" is not a legitimate name, not even a legitimate business name... I seriously doubt it's a registered or incorporated business name, and even if it is, it's done only so they can get a certificate with the same name. How can you authenticate them with a bullshit name? Authentication means proving who they are, which this isn't doing at all. And I don't mean to be ultra-picky, but if you couldn't get a driver's license with the name, or open a bank account with it, you probably shouldn't be able to get a certificate with that name.