Slashdot Mirror
How VeriSign Could Stop Drive-By Downloads
emcron writes "Ben Edelman has been doing great forensic work looking at spyware, adware, and malware. His latest piece, How VeriSign Could Stop Drive-By Downloads, turns the harsh light of public scrutiny on VeriSign's grubby practices in issuing digital certificates to vendors who try to install spyware by tricking users into clicking 'yes' with low-down dirty lying dialog boxes. Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."
So you expect an clueless computer user, who's just learning about this interweb, to understand the importance of trust when downloading software?
Even ignoring people who've never used a computer before, a lot of people are, unfortunately, very trustworthy.
Having partly software-verifiable certificates (i.e. signed by Verisign instead of self-signed) goes a long way to helping a browser tell a user whether or not they should be able to trust this mysterious "gator.exe" (of course, people will always find ways around it).
-- Dramatisation - May Not Have Happened
Perhaps, one day after Drive-By Downloads are stopped, a new era could emerge...
A time in which east-side nerds could live side by side with west-side nerds.
I have a dream...
Sigs are for the weak.
Aside from the enormous inconvience actually practicing this with high security settings.
If Versign is making certain claims about their trust worthiness, and that of the people they certify, they should be held accountable when those claims are demonstratibly false. They're lying for money. No it might not be the end users money, but it's their time that's being stolen, and Verisign is doing it for money. And while there certainly is some wisdom in being a wary buyer, I think their is something to be said for forcing people to keep their promises to the larger marketplace. "Oh, they're rich, it's good for their business.", doesn't exactly put me in a benefit of the doubt kind of mood.
I DARE YOU TO CLICK YES
we were also considering
CLICK YES YOU MORON
OMG, WERE YOU SERIOUSLY GOING TO CLICK NO
and
THIS IS SO COOL, YOU GOTTA SEE WHAT HAPPENS WHEN YOU CLICK YES
I'm sure there will be plenty of the "Use FireFox, Problem Solved!" comments as well. I have experienced, rarely, where a drive-by site is impossible to say "no" to when under Firefox and eventually crashed the browser but IE under SP2 handled itself very well on the same page. Right, IE just calmly and quietly installs the software for you if you're not computer-savvy enough to say 'yes' to the dialog box to start with. ;)
Seriously, though, I think that the /possibility/ of letting computers auto-install software that doesn't /directly/ come from a company that you've already approved - that is, Microsoft updates for Windows, Mozilla Foundation updates for Mozilla or Firefox, Adobe updates for Photoshop - causes more problems than it reduces headaches. Make people go through extra steps if they want to install FREE PR0N EXPAND YOUR PENIS NOW or A COOL SCREENSAVER FOR YOU, since computers have long been training your average user to just say 'ok' to any dialog box that pops up.
This flies in the face of science.
Reminds me of a comment on politics which also appeared on /. some time ago.
It was proposed to change one's name to None Of The Above and run for presidency.
Come on! Verisign's whole business model is to sell as many certificates as it can - it's simply not in their interests to show scruples like that. Verisign have the MicroSoft seal of approval, so for the average desktop user that makes their reputation beyond suspicion, so they have nothing to lose.
My Sister-in-law runs redhat 9 (because I installed the system)
She tells me that she often goes to sites which offer games which she (or her son) would like to run. Most of the time they don't work either because they need java or activex, or because they are just broken
Either way it is my fault for giving her a PC which doesn't do all these things
You and I have reasonable expectations about technology. The person in the street has different expectations and they drive the market
http://michaelsmith.id.au
the point of a certificate is NOT to verify that the company/person is a trustworthy company/person
it's to verify that the software is FROM the person/company on the certificate
certificates verify identification/authentication -- they are NOT an indication of trustyworthy software, nor are they supposed to be.
the problem is literacy and common sense, something that many people seem to lose the minute they touch a computer.
...is to trust everyone.
They have to.
Every site that they visit will have embedded Flash, embedded Java, embedded QuickTime, embedded Real, embedded midi (FFS!).
They are taught on their first few days to trust everyone, and that nothing that they want to achieve can be done without trusting that the site is legit in asking you to download and install stuff.
And when they speak to their geek friends (or friends of their kids), they get told dismissively and condescendingly that YES, they must install to see the site properly, to do what they want. You can bet that they won't ask a second time!
Is it really a surprise then, that we have a problem later with dumb users downloading spyware, adware, and malware in general?
The problem could be much alleviated by simply pre-installing all of the key technologies in advance.
Some Linux distros do this... my mother knew from the first moment she used Simply Mepis that she didn't need to download anything else... I told her this, and because nearly all of her sites worked (just not pogo.com) she hasn't downloaded anything else.
But you can't do this with Windows... because Windows gives you nothing, and certainly nothing from Apple, Real, Macromedia, Sun, etc... and then to compound it, Windows is an open playground for malware once downloaded.
If Windows RME were permitted to be shipped with not just alternatives and pre-configured competitor offerings for media, but also with common plugins for the web... and... maybe even Firefox to give choice... then this would do more to prevent malware spreading than Verisign being forced to change their practices.
Of course... hell would freeze over, pigs would fly, and the Bush would have an epiphany on social welfare before all of the above happened.
Obviously, nothing happened afterwards.
> And when they speak to their geek friends (or
> friends of their kids), they get told dismissively
> and condescendingly that YES, they must install to > see the site properly, to do what they want. You
> can bet that they won't ask a second time!
Not this geek friend. I tell people not to trust anyone on the internet and to never download any crappy plugins as 90% of them will simply be used for serving up intrusive advertising. And if the site doesn't work without their plugins them go elsewhere.
After I've removed the first load of spyware and repeated the advice they usually listen. If not they don't get a second visit from me. I just point them to the internet and say "You're not interested in my advice so you can fix things yourself".
Sorry I've gone half tilt Amish on the idiots of the internet. If you can't get your message over to me using plain old HTML and static images you can stick your message up your arse.
The internet is not digital TV.
Personally I can't wait 'til someone invents some sort of uber bandwidth media-tastic bright & shiny "Hyper Net" (now with unbrakabul DRM (tm)). Then all the drongos can go and happily consume on it whilst leaving the rest of us with our "good old" internet.
Plugins ? I spit on you all.
Sky subscribers are morons. They pay to be advertised at !
"CLICK HERE TO INSTALL" is not a legitimate name, not even a legitimate business name
Sir, I resent your libelous filth and my legal counsel will be conacting you shortly.
Aaron Firouz
CEO
CLICK HERE TO INSTALL, LLC.
Slashdot: News for nerds. Stuff tha-- MICRO$OFT IS THE DEVIL!!1
Verisign charges $400 for a code signing certificate. It doesn't appear they do anywhere near $400 worth of work at the moment. Even if it's true that catching scam names in advance is hard, revoking them should be easy. The "Click YES to continue" cert is still valid, and I can assure you that Verisign is quite aware of it.