[4256] in WWW Security List Archive
Re: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (Clare Chu)
Thu Feb 6 03:15:56 1997
Date: Wed, 05 Feb 1997 22:29:23 -0800
From: Clare Chu <cchu@cisco.com>
To: Brian Toole <btoole@oakmanor.com>
CC: WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Brian Toole wrote:
>
Brian, an extremely well-written piece.
> I don't think the real issue here is the
> motivation of the hack. The real issue is the
> fact that it (theoretically) has been demonstrated
> that the mere presence of a piece of signed code
> does not imply that an application is secure.
>
> "Oooh. It's signed, so it
> is safe to use."
Good point. It's like telling kids not to talk to
strangers. But when the stranger holds a certificate
then it's okay.
> Digital Signatures (Authenticode) provides little
> real assurance of a "safe" application when the
> certificate is not granted on the basis of the
> object being certified. This is a real problem
> when the object does not operate in a constrained
> environment (sandbox) when executed by the browser.
The only guarantee is to not allow objects to do anything
that can be damaging. What scares me about Active X is
the disk access part. Even more scary is that the
average user thinks, "Hey Microsoft is vouching for the
safety by these certificates so it must be okay."
>
> Some software, such as the Microsoft Internet
> Explorer 3.0, offers end-users an option to
> bypass making an explicit choice to trust code
> from each new software publisher. If an end-user
> checks an option to trust all software signed by
> vendors who have met the financial criteria,
> code signed by these vendors will be run without
> any user intervention."
>
> The last time I checked, security had little to
> do with such financial criteria.
Indeed not. Just because someone has excellent references
does not mean he's not a crook. What certificates does for us
is to lull users into a false sense of security. It's like
the door-to-door charity peddlers waving their badges at your
peephole. And you're supposed to open the door because they
got a badge? Security means making sure the door is closed,
(i.e. operating in a constrained sandbox). Not trusting that
something won't harm us because it has a referral (or a badge),
but not allowing it to hurt us because it can't. Of course once
you open the door, it's too late.
>
> Additionally, the information presented to the
> end-user to make this choice is not sufficiently
> detailed to make an informed selection. How the
> heck is an average user supposed to know if
> this "blob" of stuff won't do something "bad"
> based solely on the financial rating of the
> company that provided it ?
Exactly. That "blob" of stuff has to be verified that it does not
do something bad.
>
> 2. Block ActiveX from the public network.
I got nervous about this when IE would issue warning and ask
about certificates that I deleted IE from my desktop. I figure
Netscape browser can't execute ActiveX so I'm safe.
>
> I don't see how anyone charged with a corporate
> security policy could let ActiveX through their
> border, and still feel comfortable about it,
> especially into a population of W95 or WFW
> clients.
>
> If someone want's to debate this, I'm more than
> interested in hearing ways this could be made
> safe enough to do in a publicly traded company,
> where the stockholders can sue the pants off
> you for not taking "prudent measures" to protect
> corporate information.
What I wonder is if someone could sue the certificate holder?
After all, he either knowingly or unknowingly allowed his applets
to do harm.
>
Clare
