Slashdot Mirror
How VeriSign Could Stop Drive-By Downloads
emcron writes "Ben Edelman has been doing great forensic work looking at spyware, adware, and malware. His latest piece, How VeriSign Could Stop Drive-By Downloads, turns the harsh light of public scrutiny on VeriSign's grubby practices in issuing digital certificates to vendors who try to install spyware by tricking users into clicking 'yes' with low-down dirty lying dialog boxes. Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."
The beauty of certificates is, you decide who you trust. If you object to VeriSign's practice of issuing certificates to spyware/adware makers, simply don't choose to trust VeriSign's root certificate. This is only a temporary measure, I guess.
Heck, what if they start using a thesarus to pick complicated sound names that sound cool?
And since the purpose of opportunistic companies like Verisign, who's keys are no better than anyone else's, is to make as much doe ray me as fast as possible, why are they going to do this?
Mumia Abu-Jamal is *laughably guilty*. Check the evidence.
I can't deny that VeriSign should be doing a better job with stuff like this, but I certainly don't believe in the claim that by taking their certs away that drive-by downloads will cuddenly stop.
The real problem is the fact that nobody bothers to read the window that has just popped up in front of them. I'm guilty of this myself, there have been times I've not even recognized a problem with certs on my own servers the first few times clicking through.
My saving grace is that I never ever click an OK or YES button unless I'm expecting one. That simple rule has kept me from ever having anything installed using this method. The problem is that not everyone understands that they should not agree to every popup window they see. It's not going to matter if it claims to be authorized by God himself; if it has a YES/NO/CANCEL option and the user is not security-aware the person will probably say yes. I think educating people would be more effetive than trying to get the CAs to revoke the certificates.
I'm sure there will be plenty of the "Use FireFox, Problem Solved!" comments as well. I have experienced, rarely, where a drive-by site is impossible to say "no" to when under Firefox and eventually crashed the browser but IE under SP2 handled itself very well on the same page.
After the whole debacle with the DNS somehow i don't see Verisign prioritize ethics over profit any time soon
If an experiment works, something has gone wrong.
Help us for "free"?
Remember the DNS hijack? They wouldn't back down untill they were sued and threatned repeatedly.
Perhaps, one day after Drive-By Downloads are stopped, a new era could emerge...
A time in which east-side nerds could live side by side with west-side nerds.
I have a dream...
Sigs are for the weak.
How come they only just now start to question companies with names such as "CLICK YES TO CONTINUE"?
It's so basic that it's sad that they now issue this press release trying to make them look like good guys, even though it's so obvious and should have been looked into much earlier.
Just let Darwin sort it out.
Right. And until that time we will have to deal with a few million zompies that spam us? Not really a good option.
We should try to educate the users that are unaware to these problems. Just like I am constantly helping my parents and friends. They would never OK such a certificate because I tolled them that it could be spyware, etc.
That requires VeriSign to actually do something and cuts into their profits.
Look at the mess known as the domain registry and how much junk information is found in there. I'm sure the license for the SSL has the same requirements (and no teeth) just like the DNS registry does.
That doesn't mitigate Verisign awarding certificates from bogus companies.
Its possible to have your Internet Explorer set to accept properly certified code, so in some cases the user doesn't even look.
I DARE YOU TO CLICK YES
we were also considering
CLICK YES YOU MORON
OMG, WERE YOU SERIOUSLY GOING TO CLICK NO
and
THIS IS SO COOL, YOU GOTTA SEE WHAT HAPPENS WHEN YOU CLICK YES
Either that or they face the "threat" that more and more people switch over to Firefox which doesn't use ActiveX at all which in turn means less activex certification profits?
is to design a mechanism for stabbing people in the face over the internet.
Wanna get rid of spyware, adware and malware?
CLICK YES TO CONTINUE
Too often do I trust the wrong sites, with owneres that I personally know myself, to then be bogged down with spyware alerts on my computer. I'm amazed at what Verisign has done in the first place, it makes them seem more concerned about earning money than security over malicious applications and code.
The very cheek of it all, is that the main marketing technique on their website is to talk about security. I think if they were going to clean up their act, they would have done it a long time ago. No hope for some people.
Reminds me of a comment on politics which also appeared on /. some time ago.
It was proposed to change one's name to None Of The Above and run for presidency.
Seriously. It blows my mind that I can create a site that can make a dialogue box pop up that when the user clicks "yes" can install software. Verisign can't be blamed for that mess. ActiveX, on the other hand, can. Here's how MY browser works: It displays webpages. If I want software, I download it to my desktop. I then choose to open it or delete it. No ActiveX, no auto-launcing/auto-installing/etc bs. What's so hard about that?
Quid festinatio swallonis est aetherfuga inonusti?
Africus aut Europaeus?
This is the point - this means that if, just by accident, it turns out that the given software performs illegal actions, uses your computer to store kiddie porn or starts to send spam to .gov or .mil adresses, verisign can track the body it issued sertificate to and hold it accountable.
And it has nothing to do with actual quality of software it has signed.
Come on! Verisign's whole business model is to sell as many certificates as it can - it's simply not in their interests to show scruples like that. Verisign have the MicroSoft seal of approval, so for the average desktop user that makes their reputation beyond suspicion, so they have nothing to lose.
From what I have seen, I believe that the employees at Verisign are "Clicking yes to continue" when approving certificate requests. Or someone mistakenly clicked the "Yes to All" button.
Indeed.
Basically a certificate signed by Verisign is just that and only that. It's a certificate signed by Verisign. It doesn't say anything about the person or company presenting the certificate, their partners, business practices, history, ethics or ANYTHING ELSE. The only thing it's safe to assume is that someone fed Verisign a (probably valid) credit card number and they received a signed certificate (which you're looking at). That's it. End of story.
For some reason people see the words 'signed' and 'certificate' and assume there's some automagic security haze covering everthing and they get really upset when this turns out not to be the case.
When people start blathering 'Oh, but I just assumed...' remind them that assumption is the mother of all fsckups and they really should have learned that lesson by now.
...is to trust everyone.
They have to.
Every site that they visit will have embedded Flash, embedded Java, embedded QuickTime, embedded Real, embedded midi (FFS!).
They are taught on their first few days to trust everyone, and that nothing that they want to achieve can be done without trusting that the site is legit in asking you to download and install stuff.
And when they speak to their geek friends (or friends of their kids), they get told dismissively and condescendingly that YES, they must install to see the site properly, to do what they want. You can bet that they won't ask a second time!
Is it really a surprise then, that we have a problem later with dumb users downloading spyware, adware, and malware in general?
The problem could be much alleviated by simply pre-installing all of the key technologies in advance.
Some Linux distros do this... my mother knew from the first moment she used Simply Mepis that she didn't need to download anything else... I told her this, and because nearly all of her sites worked (just not pogo.com) she hasn't downloaded anything else.
But you can't do this with Windows... because Windows gives you nothing, and certainly nothing from Apple, Real, Macromedia, Sun, etc... and then to compound it, Windows is an open playground for malware once downloaded.
If Windows RME were permitted to be shipped with not just alternatives and pre-configured competitor offerings for media, but also with common plugins for the web... and... maybe even Firefox to give choice... then this would do more to prevent malware spreading than Verisign being forced to change their practices.
Of course... hell would freeze over, pigs would fly, and the Bush would have an epiphany on social welfare before all of the above happened.
You haven't seen goatse yet have you?
Obviously, nothing happened afterwards.
Obviosly 90% of the people posting in this discussion have no practical experience with this subject. The certificate in question is a code-signing certificate. Have you ever bought (or tried to buy) one of those from Verisign? I have and let me tell you--it is a royal pain in the ass. I can say with almost certainty that those certificates that are from a company called "CLICK YES TO CONTINUE" did not come from Verisign.
/. ignorance.
It took me nearly two weeks to track down all the paperwork to get my code signing certificate (authenticode). The process includes designating two contacts, faxing over several forms (including a valid county business license for the company name on the application) and a notorized agreement of indemification because they weren't able to do 3rd party identity validation on my company (they look your company name up in the white pages and call the number to make sure it exists and that you do indeed work there. My company wasn't in the phone book.) They also try to look you up in D&B. This all came after giving them the $500 for the certificate.
That being said, I don't see how anyone could get away with purchasing a certificate such as described in the article from Verisign--maybe Thawte or another. IMO Verisign is taking some flak here due to
Teaching individual users to be more informed and responsible about whom they trust may be difficult, but it's better than entrusting a private, unaccountable, quasi-monopoly (let alone one with a history of un-trust-worthy behaviour) with that decision.
http://alternatives.rzero.com/
Why hasn't this company been banned from having anything to do with the Internet?
Time and time again it gets busted doing crap like the SiteFinder fiasco and still they get away with it.
Software should NEVER be allowed to install itself! I'm sure some genius at MS thought it would be a great way to lure developers into using ActiveX instead of Java.
The proper behavior would be to have a user find a download, click the download to put it somewhere on the hard drive, then have the user "double-click" the file to install the software. This would totally prevent drive-by downloads.
-ted
Firefox should have a mechanism to assign different levels of trust to CAs - http://www.openca.org/openca/ would have a higher level and VeriSign a lower level.
This could be changed by the end user, though.
When the user gets presented with a dialog box, Firefox would suggest the user to not trust VeriSign-signed sites.
The "VeriSign penalty" could be adjusted in each new release based on their willingness to ge their shit together. Fuckos.
> And when they speak to their geek friends (or
> friends of their kids), they get told dismissively
> and condescendingly that YES, they must install to > see the site properly, to do what they want. You
> can bet that they won't ask a second time!
Not this geek friend. I tell people not to trust anyone on the internet and to never download any crappy plugins as 90% of them will simply be used for serving up intrusive advertising. And if the site doesn't work without their plugins them go elsewhere.
After I've removed the first load of spyware and repeated the advice they usually listen. If not they don't get a second visit from me. I just point them to the internet and say "You're not interested in my advice so you can fix things yourself".
Sorry I've gone half tilt Amish on the idiots of the internet. If you can't get your message over to me using plain old HTML and static images you can stick your message up your arse.
The internet is not digital TV.
Personally I can't wait 'til someone invents some sort of uber bandwidth media-tastic bright & shiny "Hyper Net" (now with unbrakabul DRM (tm)). Then all the drongos can go and happily consume on it whilst leaving the rest of us with our "good old" internet.
Plugins ? I spit on you all.
Sky subscribers are morons. They pay to be advertised at !
The other solution is to quit treating digital certificates as something to do with trust (the authorization-vs-authentication fallacy). Microsoft's stupid "security zones" model takes this blatant idiocy further than anyone, but all browsers have adopted some similar conceptual structure.
A certificate doesn't tell you anything about whether a web site is secure, trustable, or anything else. It simply provides a slightly better verification of identity.
Which should tell us there's a bigger problem here than whether Verisign is, in the fashion of the AKC, turning a blind eye to puppymillers who'll pay for registration papers.
If users have been conditioned to routinely say "yes" or "OK" to anything they see, it's partly because the APIs they deal with all day long encourage the writing of bad, unintelligible dialogs. Anyone who's ever waded through the "Yes No Help" dialog box when saving to a .csv file from Excel knows this problem. That one's unreal: they give us a bulleted list in the dialog that basically translates the buttons.
It's no accident that tons of the spyware pop-ups out there look like Windows dialog boxes. People are so used to clicking through horribly-written dialogs that they don't pay any attention. A better set of API default dialog types would nudge everyone, programmers and users, in the direction of actually readable dialogs that mean something.
"Fundamentalism" isn't about divine morality. It's about human authority.
The only real use of a certificate is to show that the software you download is actually from the company that it's claiming to be from.
The trust-worthiness of that company is still in debate... you just now know who it is you're dealing with.
MadCow.
I used to have a sig, but I set it free and it never came back.
Seriously, anyone who clicks on crap like that deserves to get screwed! My father-in-law is one of those types. It's a compulsion. He clicks on any spam, pop-up, or banner ad no matter how many times I've told him to stop. I had to set up a very restricted user account on his computer. Essentially he's unable to download or install anything. But he's been spyware free for over a year now.
If someone says he and his monkey have nothing to hide, they almost certainly do.
Read my Technocrat article for more info and I also submitted to Slashdot, but it got rejected - oh well.
Hulk SMASH Celiac Disease
You'd be surprised. Our company bought a product from UPS logistics that uses the Sun Java runtime but doesn't work in Firefox. (yes I'm serious). Turns out they have a bunch of IE only javascript that sends parameters to the applet, whithout the parameters it doesn't initalize. I dug around the system for like an hour trying to figure out what it was doing, but in the end just gave up. Lazy programmers will always bone you, no matter how portible something is supposed to be.
Do you want to install and run "ULTRA-FAST P3N!$ ENHANCER 4.3" signed on 3/27/2003 10:54 AM and distributed by:
CLICK YES TO CONTINUE
Publisher authenticity verified by VeriSign Class 3 Code Signing 2001 CA Caution: CLICK YES TO CONTINUE asserts that this content is safe. You should only install/view this content if you trust CLICK YES TO CONTINUE to make that assertion.
[] Always trust content from CLICK YES TO CONTINUE.
The point of certificates is to prevent impersonation of trusted sources by untrusted sources. Anyone can register a valid company name. Verisign considers proof of name a printed phone listing (they call you back at the published number) or a notarized copy of a business license.
So somebody seems to have registered a company name "Click YES to continue" in some state. It's probably a legal company name. I agree with the author that this is obviously deceptive practice, and Verisign should revoke the certificate revoked. In addition, we should be able to complain to Verisign about other companies violating the Verisign agreement.
I don't know what they do if the company name is a duplicate of another previously registered name.
Verisign's main corporate asset is trust, the entire certificate business is centered arround that trust. What we have to trust is that Verisign has in place an effective mechanism to insure that entities are in fact who they say they are and is applying that mechanism effectivly. It appears that Verisign is not effectivley applying that mechanism, and are wasting their most important asset. For quite a while I've suspected that a Verisign cert only meant that some paperwork was filled out and a check cashed.
Personaly I don't care if Tony Suprano is doing it as long as he insures the entities are who they say they are and is actually enforcing the contract.Tony might be better, the dirtbags are less likely to jerk him arround.
Apocalypse Cancelled, Sorry, No Ticket Refunds
After reading the article I was reminded of the common practice in the late 1980s and early 1990s, before cell phones were nearly as common as they are now, of people registering long distance phone companies with names like "it doesn't matter" and "makes no difference" so that when an unsuspecting pay phone user, at an airport say after a long flight, was asked which long distance company's services they wanted they would get stuck with one of these unscrupulous operators who would then proceed to charge them out the nose, ~$5.00+ per minute, for the call (especially on those card phones which took credit).