Slashdot Mirror
Do You Code Sign?
Saqib Ali asks: "I am a regular reader of Bruce Schneier's Blog, Articles, and Books, and I really like what he writes. However I recently read his book titled 'Secret and Lies' and I think he has done some in-justice to the security provided by the 'Code Signing.' On page 163 of his books, he (Bruce Schneier) basically states that: 'Code signing, as it is currently done, sucks.' Even though I think that Code Signing has its flaws, it does provide a fairly good mechanism for increasing security in an organization." What are your thoughts on the current methods of code signing in existence, today? If you feel like Bruce Schneier, how would you fix it? If you feel like Saqib Ali, what have you signed and how well has it worked?
"The following are the reasons that he (Bruce Schneier) gives:
Bruce's Argument #1) Users have no idea how to decide if a particular signer is trusted or not.
My comments: True. However in an organization it is the job of the IT/security dept to make that determination. It shouldn't be left up to users. The IT dept should know not to trust "Snake Oil Corp.", however anything from "Citrix Corp" should be fairly safe. Moreover Windows XP SP2 provides provides a mechanism to create a Whitelist of certain trusted signers, and reject everything else. This is a very powerful security mechanism, and greatly increase the security in a corporate environment, if the workstations are properly configured. Having said that, this feature may not be that useful for home user, who can not tell the difference between Snake Oil and Citrix Corp.
Bruce's Argument #2) Just because a component is signed doesn't mean that it is safe.
My Comments: I fully agree with this. However Code Signing was never intended for this purpose. Code signing was design to prove the authenticity and integrity of the code. It was never designed to certify that the piece is also securely written.
Bruce's Argument #3) Just because two component are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited.
My comment: Again Code Signing was was never designed to accomplish this.
Bruce's Argument #4) "safe" is not all-or-nothing thing; there are degrees of safety.
My comment: I agree with this statement.
Bruce's Argument #5) The fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attack could delete or modify the signature during the attack, or simple reformat the drive where the signature is stored.
My comments: I am not sure what this statement means. I think this type of attack is outside the realm of Code Signing. 'It is like saying host based IDs or anti-virus are useless, because if you can compromise the system you can turn them off.'
I would really appreciate any comments / thoughts / feedback on the above mentioned Bruce's arguments and my commentary. I am planning to give a short talk about benefits of code signing, so any feedback will really help me."
Bruce's Argument #1) Users have no idea how to decide if a particular signer is trusted or not.
My comments: True. However in an organization it is the job of the IT/security dept to make that determination. It shouldn't be left up to users. The IT dept should know not to trust "Snake Oil Corp.", however anything from "Citrix Corp" should be fairly safe. Moreover Windows XP SP2 provides provides a mechanism to create a Whitelist of certain trusted signers, and reject everything else. This is a very powerful security mechanism, and greatly increase the security in a corporate environment, if the workstations are properly configured. Having said that, this feature may not be that useful for home user, who can not tell the difference between Snake Oil and Citrix Corp.
Bruce's Argument #2) Just because a component is signed doesn't mean that it is safe.
My Comments: I fully agree with this. However Code Signing was never intended for this purpose. Code signing was design to prove the authenticity and integrity of the code. It was never designed to certify that the piece is also securely written.
Bruce's Argument #3) Just because two component are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited.
My comment: Again Code Signing was was never designed to accomplish this.
Bruce's Argument #4) "safe" is not all-or-nothing thing; there are degrees of safety.
My comment: I agree with this statement.
Bruce's Argument #5) The fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attack could delete or modify the signature during the attack, or simple reformat the drive where the signature is stored.
My comments: I am not sure what this statement means. I think this type of attack is outside the realm of Code Signing. 'It is like saying host based IDs or anti-virus are useless, because if you can compromise the system you can turn them off.'
I would really appreciate any comments / thoughts / feedback on the above mentioned Bruce's arguments and my commentary. I am planning to give a short talk about benefits of code signing, so any feedback will really help me."
I co-sign. It comes in handy when your code has lots of trig math.
Escher was the first MC and Giger invented the HR department.
Of course I code sign, I'm deaf and mute you insensitive clod!
I'm an American. I love this country and the freedoms that we used to have.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
MessageID: 5NWrD3M0/1xt+ynMPHbCYX+e3KSK9qhU
iQCVAwUBOFV2W1FO4fmE3w/VAQHgrgP9GlNAaTdNR7DI/Mh62H aZj49496wbM1Nhn p6nWR+Rrz+3DPCK 8yCEK0oe/aX0vv
YKlmtJIse2vcLF4LFVLJ47zQi4dK21vPlQ9XXAk4n4cype4gD
gpTUtsdlxZyMh0PvbAmssEX8z3In+cWgs43sjw6Tf0G4ENx68
mktgUuXP6A4=
=3mUU
-----END PGP SIGNATURE-----
or this thread could get hyperbolic very quickly.
Periodically, you have to use trig functions for sine-ing. This technique arcs back to Pythagoras who would tan himself by sitting in the radians of the sun.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
At first glance I thought it was a referance to writing the software for those highway text display signs.
"Yeah, I code signs. Ever been by the I75 exit on the Ohio Turnpike? That's mine."
If you don't trust Microsoft code, what the hell are you doing running Windows ? I think Microsoft should have preloaded their cert store with the trust bit set.
-- Julien Pierre http://www.madbrain.com/blog
Our organization recently bought an email encryption product called Tumbleweed that was quite expensive. One of the features is that any e-mail with "[Secure]" at the beginning of the subject would automatically be encrypted. The catch is that in order to make a button in Outlook that added this text, it would cost an extra $8,000 for a custom add-in.
Naturally the request came to me (even though I develop web applications). I whipped up a ten line Outlook macro that did it, spending about twenty minutes on it. Easy, right? The catch is that Outlook security is incredibly tight and unless you open massive security holes, the macro wouldn't run unless it was digitally signed by a trusted provider.
I plunked down $400 for a Verisign certificate and spent the next couple weeks working with our SMS guy to create packages for the various Outlook versions, and the desktop guys to deal with people who had custom Outlook macros.
Basically it was a huge hassle, done only because we had to. Still, it worked, and ended up saving some money. Crazy, though.
Apparently, not do you grammar understand....
Every newbie and their grandmother knows you just have to type "rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*" before using up2date, and do the same for any other repositories you might add.
If you're even talking about this topic you are clearly not living in the real world of tight schedules and out-of-control projects. Chances are you're working in government. Who cares?
Apparently the guy who wrote the Fedora installer didn't know it.