[4258] in WWW Security List Archive
What does Authenticode Certify ? (was: Sceptic about (Funds Transfer w/o PIN))
daemon@ATHENA.MIT.EDU (Brian Toole)
Thu Feb 6 06:34:04 1997
Date: Thu, 06 Feb 1997 04:45:23 -0500
From: Brian Toole <btoole@oakmanor.com>
Reply-To: btoole@oakmanor.com
To: WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>-----Original Message-----
>From: cchu@cisco.com [SMTP:cchu@cisco.com]
>Sent: Thursday, February 06, 1997 1:29 AM
>
>> I don't see how anyone charged with a corporate
>> security policy could let ActiveX through their
>> border, and still feel comfortable about it,
>> especially into a population of W95 or WFW
>> clients.
>>
>> If someone want's to debate this, I'm more than
>> interested in hearing ways this could be made
>> safe enough to do in a publicly traded company,
>> where the stockholders can sue the pants off
>> you for not taking "prudent measures" to protect
>> corporate information.
>
>What I wonder is if someone could sue the certificate holder?
>After all, he either knowingly or unknowingly allowed his applets
>to do harm.
>
>
>Clare
This is an interesting point. I wonder if
standard errors and omissions insurance would
cover the vendor... (I'm no lawyer, and it
probably isn't a topic for this list anyway).
On the other hand, I think that the evidence
is beginning to gather enough momentum to cause
a CIO/CTO to sit up and take notice of the risks that
they are opening themselves up to if their
security policy allows free traversal of ActiveX
objects across their network borders.
Most corporations don't allow users to download
and execute random pieces of shareware on their
network, and (IMO) allowing ActiveX applets in
with the current criteria for obtaining a SPC
is even more dangerous, due to the false sense
of security that the average end-user has after
seeing that "official looking" certificate thingy
pop up on their screen.
By no means am I M$ (or Verisign) bashing here.
If this type of sudo-security mechanism was being
pushed (in a similar context) by any other big
vendor I'd be just as leery. The "digital signature"
part of this isn't the issue. It's the scope of
trust (full) that is implied by that signature that is
in question.
To offer some suggestions, rather than just bitch,
the easiest short term solution would seem to be
for a CA to offer tightened the criteria for obtaining SPC
certificates that would include rigorous (independent)
and well-documented testing of the object(s) in question.
At a minimum, this testing could certify that the
object does only what it advertises, carries no hidden
code, and is not subject to the more common forms
of hacker coercion.
This of course, costs a lot more in manpower and
capital than simply doing a D&B query on someone,
and would by definition, impart a certain amount
of liability onto that certifying authority.
Still, if someone were to set themselves up as a CA
that offered this type of service, security managers
could have at least a minimal amount of assurance
that code signed with SPC's from that particular
CA aren't going to explode in their faces.
If treated properly, this could be a good marketing
point, and a checklist item for those in charge of WWW
security policies. At least you could enforce a policy
that said "Only accept certificates issued through
the TestedCodeCompany Certification Authority", and
explicitly disallow everything else. I wonder if M$
would submit to that level of certification...
It might even make an interesting mass market
campaign should ActiveX exploits start to attract
more attention from the media.
I'd be interested in hearing from other security
managers if this type of certification would be helpful
or a no-op for them...or if anyone knows of someone
already offering this type of service. I don't.
In the end though, putting ActiveX in a sandbox when
it arrives through an untrusted transport is still the
correct (IMHO) approach. Coupling it with an optional
method to determine if a certificate has been revoked
_every_ time the object is loaded will provide a
mechanism to deal with "compromised" certificates.
As I saw someone else mention a while back, just imagine
the chaos that would prevail if somehow Microsoft or
some other big vendor lost a copy of their key to the
kewl doodz.
Just my $0.02
--Brian
