Slashdot Mirror

← Back to Stories (view on slashdot.org)

How VeriSign Could Stop Drive-By Downloads

Posted by Zonk on from the bonzer's-not-my-buddy dept.

emcron writes "Ben Edelman has been doing great forensic work looking at spyware, adware, and malware. His latest piece, How VeriSign Could Stop Drive-By Downloads, turns the harsh light of public scrutiny on VeriSign's grubby practices in issuing digital certificates to vendors who try to install spyware by tricking users into clicking 'yes' with low-down dirty lying dialog boxes. Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."

31 of 229 comments (clear)

  1. Meanwhile by cynix.org · · Score: 4, Insightful

    The beauty of certificates is, you decide who you trust. If you object to VeriSign's practice of issuing certificates to spyware/adware makers, simply don't choose to trust VeriSign's root certificate. This is only a temporary measure, I guess.

    1. Re:Meanwhile by insert_username_here · · Score: 5, Insightful

      So you expect an clueless computer user, who's just learning about this interweb, to understand the importance of trust when downloading software?

      Even ignoring people who've never used a computer before, a lot of people are, unfortunately, very trustworthy.

      Having partly software-verifiable certificates (i.e. signed by Verisign instead of self-signed) goes a long way to helping a browser tell a user whether or not they should be able to trust this mysterious "gator.exe" (of course, people will always find ways around it).

      --
      -- Dramatisation - May Not Have Happened
    2. Re:Meanwhile by strider44 · · Score: 4, Insightful

      Tell me then, what's the point of having a certificate when you can get it under any name you want, for any (possibly) malicious piece of software? If it doesn't give any indication of being trust worthy at all then it's absolutely worthless!

      It's ironic that a Microsoft representative a little while ago criticising Firefox not paying for a certificate for the download. What is to stop someone registering "Firefox Browser" or "Click Yes to Download" instead? Certificates when they are so easily abused like this are only detremental - they create a fake level of trust.

    3. Re:Meanwhile by elgaard · · Score: 4, Insightful

      It would help Joe Sixpack if he used a browser that did not trust the VeriSign CA per default.

    4. Re:Meanwhile by Anonymous Coward · · Score: 5, Insightful

      Aside from the enormous inconvience actually practicing this with high security settings.

      If Versign is making certain claims about their trust worthiness, and that of the people they certify, they should be held accountable when those claims are demonstratibly false. They're lying for money. No it might not be the end users money, but it's their time that's being stolen, and Verisign is doing it for money. And while there certainly is some wisdom in being a wary buyer, I think their is something to be said for forcing people to keep their promises to the larger marketplace. "Oh, they're rich, it's good for their business.", doesn't exactly put me in a benefit of the doubt kind of mood.

    5. Re:Meanwhile by X0563511 · · Score: 4, Interesting

      I remember after digging around in the MMC seeing somewhere that Verisign is not only trusted by IE, but XP itself!

      There's a copy of their public certificate on your machine - that's how IE can tell if it really was Verisign that signed it.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    6. Re:Meanwhile by DarkTempes · · Score: 5, Informative

      the point of a certificate is NOT to verify that the company/person is a trustworthy company/person

      it's to verify that the software is FROM the person/company on the certificate

      certificates verify identification/authentication -- they are NOT an indication of trustyworthy software, nor are they supposed to be.

      the problem is literacy and common sense, something that many people seem to lose the minute they touch a computer.

    7. Re:Meanwhile by sbryant · · Score: 4, Insightful

      Yes well, that doesn't help Joe Sixpack who reads "CLICK YES TO CONTINUE" and does it.

      At least he read it! I know plenty of people who will just click OK without even looking at what they're agreeing to.

      The trouble is that lots of people don't understand what is being asked of them (so many give up reading at all). Signed certificate? While I could explain what it is, how do you teach people to be able to choose the good from the bad? Some are definately not so easy to spot.

      Ol' Joe should be more distrusting of these things, but isn't.

      -- Steve

    8. Re:Meanwhile by NoMoreNicksLeft · · Score: 4, Interesting

      I don't agree. This is partially an issue with business names themselves. If we were talking proper names, e.g. John Smith (the individual), a man who writes spammy spyware for a living, and the cert say his name is John Smith, then yes, it's authenticating him (and his software) as being the person he says he is.

      Unfortunately, a person can game this system by choosing any business name they like. "CLICK HERE TO INSTALL" is not a legitimate name, not even a legitimate business name... I seriously doubt it's a registered or incorporated business name, and even if it is, it's done only so they can get a certificate with the same name. How can you authenticate them with a bullshit name? Authentication means proving who they are, which this isn't doing at all. And I don't mean to be ultra-picky, but if you couldn't get a driver's license with the name, or open a bank account with it, you probably shouldn't be able to get a certificate with that name.

    9. Re:Meanwhile by thatnerdguy · · Score: 4, Funny

      setting "sex bits" on IP packets to indicate sexual content.
      Are those like the Evil Bits?

      --
      I saw the Sign, and it opened up my eyes
    10. Re:Meanwhile by itchy92 · · Score: 5, Funny

      "CLICK HERE TO INSTALL" is not a legitimate name, not even a legitimate business name

      Sir, I resent your libelous filth and my legal counsel will be conacting you shortly.

      Aaron Firouz
      CEO
      CLICK HERE TO INSTALL, LLC.

      --
      Slashdot: News for nerds. Stuff tha-- MICRO$OFT IS THE DEVIL!!1
    11. Re:Meanwhile by kawika · · Score: 5, Insightful

      Verisign charges $400 for a code signing certificate. It doesn't appear they do anywhere near $400 worth of work at the moment. Even if it's true that catching scam names in advance is hard, revoking them should be easy. The "Click YES to continue" cert is still valid, and I can assure you that Verisign is quite aware of it.

  2. That would slow things down by tjlsmith · · Score: 4, Insightful

    And since the purpose of opportunistic companies like Verisign, who's keys are no better than anyone else's, is to make as much doe ray me as fast as possible, why are they going to do this?

    --
    Mumia Abu-Jamal is *laughably guilty*. Check the evidence.
  3. Sounds logical but... by nuclear305 · · Score: 4, Insightful

    I can't deny that VeriSign should be doing a better job with stuff like this, but I certainly don't believe in the claim that by taking their certs away that drive-by downloads will cuddenly stop.

    The real problem is the fact that nobody bothers to read the window that has just popped up in front of them. I'm guilty of this myself, there have been times I've not even recognized a problem with certs on my own servers the first few times clicking through.

    My saving grace is that I never ever click an OK or YES button unless I'm expecting one. That simple rule has kept me from ever having anything installed using this method. The problem is that not everyone understands that they should not agree to every popup window they see. It's not going to matter if it claims to be authorized by God himself; if it has a YES/NO/CANCEL option and the user is not security-aware the person will probably say yes. I think educating people would be more effetive than trying to get the CAs to revoke the certificates.

    I'm sure there will be plenty of the "Use FireFox, Problem Solved!" comments as well. I have experienced, rarely, where a drive-by site is impossible to say "no" to when under Firefox and eventually crashed the browser but IE under SP2 handled itself very well on the same page.

    1. Re:Sounds logical but... by ZiZ · · Score: 5, Insightful

      I'm sure there will be plenty of the "Use FireFox, Problem Solved!" comments as well. I have experienced, rarely, where a drive-by site is impossible to say "no" to when under Firefox and eventually crashed the browser but IE under SP2 handled itself very well on the same page. Right, IE just calmly and quietly installs the software for you if you're not computer-savvy enough to say 'yes' to the dialog box to start with. ;) Seriously, though, I think that the /possibility/ of letting computers auto-install software that doesn't /directly/ come from a company that you've already approved - that is, Microsoft updates for Windows, Mozilla Foundation updates for Mozilla or Firefox, Adobe updates for Photoshop - causes more problems than it reduces headaches. Make people go through extra steps if they want to install FREE PR0N EXPAND YOUR PENIS NOW or A COOL SCREENSAVER FOR YOU, since computers have long been training your average user to just say 'ok' to any dialog box that pops up.

      --
      This flies in the face of science.
    2. Re:Sounds logical but... by JudgeFurious · · Score: 4, Informative

      I know what you mean about never clicking "OK" or "YES" buttons, hell I won't even click "NO". Ok, so it's not so much a problem these days what with the OSX and the Mac but at the end of my Windows "experience" I simply decided that nothing that popped up could be trusted. I got the idea in my head that even the "NO" button was a lie.

      My own saving grace (I think) was that I got in the habit of always going down to the taskbar and doing the "right-click, close" bit.

      Education is the ticket but man, I question whether or not some of these people can be educated. I've been at this for over a decade in the same job, supporting the same people and the people I've been trying to teach continue to step on the landmines. Sure from time to time there's a success story or two with my users but for the most part the ones who are going to screw up continue to screw up.

      --
      Appended to the end of comments you post. 120 chars.
  4. Keep on dreaming by Ubi_NL · · Score: 4, Informative

    After the whole debacle with the DNS somehow i don't see Verisign prioritize ethics over profit any time soon

    --

    If an experiment works, something has gone wrong.
  5. New Times? by HateBreeder · · Score: 5, Funny

    Perhaps, one day after Drive-By Downloads are stopped, a new era could emerge...
    A time in which east-side nerds could live side by side with west-side nerds.

    I have a dream...

    --
    Sigs are for the weak.
  6. but my company name really is by Anonymous Coward · · Score: 5, Funny

    I DARE YOU TO CLICK YES

    we were also considering

    CLICK YES YOU MORON

    OMG, WERE YOU SERIOUSLY GOING TO CLICK NO

    and

    THIS IS SO COOL, YOU GOTTA SEE WHAT HAPPENS WHEN YOU CLICK YES

  7. Click yes to continue by Anonymous Coward · · Score: 5, Funny

    Reminds me of a comment on politics which also appeared on /. some time ago.

    It was proposed to change one's name to None Of The Above and run for presidency.

  8. Why should Verisign oblige? by littlem · · Score: 5, Insightful
    Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."

    Come on! Verisign's whole business model is to sell as many certificates as it can - it's simply not in their interests to show scruples like that. Verisign have the MicroSoft seal of approval, so for the average desktop user that makes their reputation beyond suspicion, so they have nothing to lose.

  9. Re:Verisign is not at fault. by MichaelSmith · · Score: 5, Insightful
    Here's how MY browser works: It displays webpages

    My Sister-in-law runs redhat 9 (because I installed the system)

    She tells me that she often goes to sites which offer games which she (or her son) would like to run. Most of the time they don't work either because they need java or activex, or because they are just broken

    Either way it is my fault for giving her a PC which doesn't do all these things

    You and I have reasonable expectations about technology. The person in the street has different expectations and they drive the market

    --
    http://michaelsmith.id.au
  10. Re:Verisign is not at fault. by jrumney · · Score: 4, Informative
    IE has a checkbox in the advanced settings called "Enable install on demand" but unchecking it makes no difference as far as I can see.

    Unchecking it prevents IE from offering to download IE language packs when you visit a website you cannot view with currently installed languages. Nothing more. If you have all the languages you can read installed already, then you probably won't want this checked.

  11. Clicking Yes to continue... by Bob64 · · Score: 4, Funny

    From what I have seen, I believe that the employees at Verisign are "Clicking yes to continue" when approving certificate requests. Or someone mistakenly clicked the "Yes to All" button.

  12. A dumb users first experience of the internet... by buro9 · · Score: 5, Insightful

    ...is to trust everyone.

    They have to.

    Every site that they visit will have embedded Flash, embedded Java, embedded QuickTime, embedded Real, embedded midi (FFS!).

    They are taught on their first few days to trust everyone, and that nothing that they want to achieve can be done without trusting that the site is legit in asking you to download and install stuff.

    And when they speak to their geek friends (or friends of their kids), they get told dismissively and condescendingly that YES, they must install to see the site properly, to do what they want. You can bet that they won't ask a second time!

    Is it really a surprise then, that we have a problem later with dumb users downloading spyware, adware, and malware in general?

    The problem could be much alleviated by simply pre-installing all of the key technologies in advance.

    Some Linux distros do this... my mother knew from the first moment she used Simply Mepis that she didn't need to download anything else... I told her this, and because nearly all of her sites worked (just not pogo.com) she hasn't downloaded anything else.

    But you can't do this with Windows... because Windows gives you nothing, and certainly nothing from Apple, Real, Macromedia, Sun, etc... and then to compound it, Windows is an open playground for malware once downloaded.

    If Windows RME were permitted to be shipped with not just alternatives and pre-configured competitor offerings for media, but also with common plugins for the web... and... maybe even Firefox to give choice... then this would do more to prevent malware spreading than Verisign being forced to change their practices.

    Of course... hell would freeze over, pigs would fly, and the Bush would have an epiphany on social welfare before all of the above happened.

  13. The answer by tinus · · Score: 5, Informative
    This is what Verisign answered when I asked them the same question last year (and then refused the stupid automated reply):
    In response to your email, when this company submitted their request for a
    digital certificate, we followed our standard authenticiation &
    verification policies to make sure of the following:

    1. That the company, Click Yes To Continue, is indeed a legitimate company
    and has the right to conduct business under this company name, which was
    confirmed using an online, 3rd party web site for validating companies
    located in Canada.
    and
    2. Received a valid phone bill from the company, in which we used to call
    the company back & confirm the order.

    Please note that when a company obtaina code signing certificate, we DO NOT
    validate their code, as the customer has to agree to our certificate
    policies before even submitting their requets online.

    Therefore, we did not issue a certificate to a 'fake company'. However, we
    will forward your email to our internal security department and Verisign
    Lawyers to see if this company is indeed distributing fraudulent code using
    a certificate obtained through Verisign.

    Obviously, nothing happened afterwards.
  14. Obviously by evanh23 · · Score: 4, Informative

    Obviosly 90% of the people posting in this discussion have no practical experience with this subject. The certificate in question is a code-signing certificate. Have you ever bought (or tried to buy) one of those from Verisign? I have and let me tell you--it is a royal pain in the ass. I can say with almost certainty that those certificates that are from a company called "CLICK YES TO CONTINUE" did not come from Verisign.

    It took me nearly two weeks to track down all the paperwork to get my code signing certificate (authenticode). The process includes designating two contacts, faxing over several forms (including a valid county business license for the company name on the application) and a notorized agreement of indemification because they weren't able to do 3rd party identity validation on my company (they look your company name up in the white pages and call the number to make sure it exists and that you do indeed work there. My company wasn't in the phone book.) They also try to look you up in D&B. This all came after giving them the $500 for the certificate.

    That being said, I don't see how anyone could get away with purchasing a certificate such as described in the article from Verisign--maybe Thawte or another. IMO Verisign is taking some flak here due to /. ignorance.

  15. Re:A dumb users first experience of the internet.. by TractorBarry · · Score: 5, Insightful

    > And when they speak to their geek friends (or
    > friends of their kids), they get told dismissively
    > and condescendingly that YES, they must install to > see the site properly, to do what they want. You
    > can bet that they won't ask a second time!

    Not this geek friend. I tell people not to trust anyone on the internet and to never download any crappy plugins as 90% of them will simply be used for serving up intrusive advertising. And if the site doesn't work without their plugins them go elsewhere.

    After I've removed the first load of spyware and repeated the advice they usually listen. If not they don't get a second visit from me. I just point them to the internet and say "You're not interested in my advice so you can fix things yourself".

    Sorry I've gone half tilt Amish on the idiots of the internet. If you can't get your message over to me using plain old HTML and static images you can stick your message up your arse.

    The internet is not digital TV.

    Personally I can't wait 'til someone invents some sort of uber bandwidth media-tastic bright & shiny "Hyper Net" (now with unbrakabul DRM (tm)). Then all the drongos can go and happily consume on it whilst leaving the rest of us with our "good old" internet.

    Plugins ? I spit on you all.

    --
    Sky subscribers are morons. They pay to be advertised at !
  16. Quit treating certificates as indications of trust by argent · · Score: 4, Insightful

    The other solution is to quit treating digital certificates as something to do with trust (the authorization-vs-authentication fallacy). Microsoft's stupid "security zones" model takes this blatant idiocy further than anyone, but all browsers have adopted some similar conceptual structure.

    A certificate doesn't tell you anything about whether a web site is secure, trustable, or anything else. It simply provides a slightly better verification of identity.

  17. Re: Java? by archen · · Score: 4, Insightful

    You'd be surprised. Our company bought a product from UPS logistics that uses the Sun Java runtime but doesn't work in Firefox. (yes I'm serious). Turns out they have a bunch of IE only javascript that sends parameters to the applet, whithout the parameters it doesn't initalize. I dug around the system for like an hour trying to figure out what it was doing, but in the end just gave up. Lazy programmers will always bone you, no matter how portible something is supposed to be.

  18. The point is... by davegust · · Score: 4, Informative

    The point of certificates is to prevent impersonation of trusted sources by untrusted sources. Anyone can register a valid company name. Verisign considers proof of name a printed phone listing (they call you back at the published number) or a notarized copy of a business license.

    So somebody seems to have registered a company name "Click YES to continue" in some state. It's probably a legal company name. I agree with the author that this is obviously deceptive practice, and Verisign should revoke the certificate revoked. In addition, we should be able to complain to Verisign about other companies violating the Verisign agreement.

    I don't know what they do if the company name is a duplicate of another previously registered name.