Slashdot Mirror
Do You Code Sign?
Saqib Ali asks: "I am a regular reader of Bruce Schneier's Blog, Articles, and Books, and I really like what he writes. However I recently read his book titled 'Secret and Lies' and I think he has done some in-justice to the security provided by the 'Code Signing.' On page 163 of his books, he (Bruce Schneier) basically states that: 'Code signing, as it is currently done, sucks.' Even though I think that Code Signing has its flaws, it does provide a fairly good mechanism for increasing security in an organization." What are your thoughts on the current methods of code signing in existence, today? If you feel like Bruce Schneier, how would you fix it? If you feel like Saqib Ali, what have you signed and how well has it worked?
"The following are the reasons that he (Bruce Schneier) gives:
Bruce's Argument #1) Users have no idea how to decide if a particular signer is trusted or not.
My comments: True. However in an organization it is the job of the IT/security dept to make that determination. It shouldn't be left up to users. The IT dept should know not to trust "Snake Oil Corp.", however anything from "Citrix Corp" should be fairly safe. Moreover Windows XP SP2 provides provides a mechanism to create a Whitelist of certain trusted signers, and reject everything else. This is a very powerful security mechanism, and greatly increase the security in a corporate environment, if the workstations are properly configured. Having said that, this feature may not be that useful for home user, who can not tell the difference between Snake Oil and Citrix Corp.
Bruce's Argument #2) Just because a component is signed doesn't mean that it is safe.
My Comments: I fully agree with this. However Code Signing was never intended for this purpose. Code signing was design to prove the authenticity and integrity of the code. It was never designed to certify that the piece is also securely written.
Bruce's Argument #3) Just because two component are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited.
My comment: Again Code Signing was was never designed to accomplish this.
Bruce's Argument #4) "safe" is not all-or-nothing thing; there are degrees of safety.
My comment: I agree with this statement.
Bruce's Argument #5) The fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attack could delete or modify the signature during the attack, or simple reformat the drive where the signature is stored.
My comments: I am not sure what this statement means. I think this type of attack is outside the realm of Code Signing. 'It is like saying host based IDs or anti-virus are useless, because if you can compromise the system you can turn them off.'
I would really appreciate any comments / thoughts / feedback on the above mentioned Bruce's arguments and my commentary. I am planning to give a short talk about benefits of code signing, so any feedback will really help me."
Bruce's Argument #1) Users have no idea how to decide if a particular signer is trusted or not.
My comments: True. However in an organization it is the job of the IT/security dept to make that determination. It shouldn't be left up to users. The IT dept should know not to trust "Snake Oil Corp.", however anything from "Citrix Corp" should be fairly safe. Moreover Windows XP SP2 provides provides a mechanism to create a Whitelist of certain trusted signers, and reject everything else. This is a very powerful security mechanism, and greatly increase the security in a corporate environment, if the workstations are properly configured. Having said that, this feature may not be that useful for home user, who can not tell the difference between Snake Oil and Citrix Corp.
Bruce's Argument #2) Just because a component is signed doesn't mean that it is safe.
My Comments: I fully agree with this. However Code Signing was never intended for this purpose. Code signing was design to prove the authenticity and integrity of the code. It was never designed to certify that the piece is also securely written.
Bruce's Argument #3) Just because two component are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited.
My comment: Again Code Signing was was never designed to accomplish this.
Bruce's Argument #4) "safe" is not all-or-nothing thing; there are degrees of safety.
My comment: I agree with this statement.
Bruce's Argument #5) The fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attack could delete or modify the signature during the attack, or simple reformat the drive where the signature is stored.
My comments: I am not sure what this statement means. I think this type of attack is outside the realm of Code Signing. 'It is like saying host based IDs or anti-virus are useless, because if you can compromise the system you can turn them off.'
I would really appreciate any comments / thoughts / feedback on the above mentioned Bruce's arguments and my commentary. I am planning to give a short talk about benefits of code signing, so any feedback will really help me."
I've been reading Bruce's writings for several years now. I've even met the man and had dinner with him. To be honest, I'm not entirely sure what keeps him going.
One common comment at his blog is that most of his writings point out the flaws, but few point out solutions. A perfectly valid criticism, and quite accurate. Having worked in the computer security industry for nearly ten years now, I am coming to the conclusion that there may be no solution. We've all heard the joke about the only secure computer (no power, locked in a safe, encased in concrete, and at the bottom of the ocean), and laughingly made comments about how security would be easier if it weren't for the users, but have we really thought about that?
I've written several comments on /. regarding security, and I'm starting to come up with a trend: it isn't possible to really secure the computer if the end-user doesn't understand and/or care about security. Here on /. there are many, many people who care and understand. I run multiple firewalls on my systems AT HOME, plus antivirus and antispyware programs. I actually review my logs. I don't run any program that was written more recently than my AV updates. I'm what most "normal" people would consider paranoid. And I still run into issues.
Since I work in the industry, I am really struggling with this. I believe in security, I desire security, I really, really WANT security. I also see that none of my efforts will bring it as long as people are involved. People make coding mistakes. People are greedy. People are petty. People are malicious. The same instincts at work looting in New Orleans tonite lead some people to do anything in their power to hack other people's systems. The rest of the people, the so-called good people, sit at home and want their computers to be as simple as their toasters. They don't want to have to know about viruses, spyware, phishing, and Nigerian 419 scams. They want email, smilies, and porn.
Regardless of how despondant I feel about security in general, security theater really pisses me off. When I see a product or a process being sold as perfect security or as any kind of silver bullet, I just have to yell. People believing that one relatively good tool will fix everything is bad enough, but when they're told that a worthless tool will fix all their problems...
In theory, code signing has the potential in some environments to limit the risks from certain vulnerabilities. In practice, code signing for the masses is worse than worthless, because Joe User sees "Do you trust Microsoft?" and honestly believes that the code will do him no harm. He will then download and run any program, regardless of where it actually came from, as long as he gets presented with another "Do you trust Microsoft?" button, because he's been conditioned to say "Yes" by Windows Update. In this case (i.e. for general use on the Internet), the "all or nothing" concept is appropriate. Joe User would be far better off treating every application with suspicion than learning that the Code Signing Fairy will bless certain bits and everything else will be covered in foul-smelling, rotten tomatoes. There is no way that the code signing theory is applicable in general use, so using it is a bad idea.
Now that I'm sufficiently depressed, I think I hear a bottle of Jack Daniels calling me