[67402] in North American Network Operators' Group
Re: Stopping open proxies and open relays
daemon@ATHENA.MIT.EDU (Simon Waters)
Mon Feb 9 13:29:50 2004
Date: Mon, 09 Feb 2004 18:21:38 +0000
To: Nanog Mailing List <nanog@merit.edu>
In-Reply-To: <20040208110114.3CDF79123F@trapdoor.merit.edu>
From: Simon Waters <Simon@wretched.demon.co.uk>
Errors-To: owner-nanog-outgoing@merit.edu
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig4ABC4761AB29945FA7E11DA1
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
NANOG Digest wrote:
>
> It would help if systems would only execute code that is signed
> properly. This would make malware traceable. However the current way of
> getting your code signed is in many cases too costly for the casual open
> source developer so people are used to running unsigned or selfsigned
> application even when the facilities to check signatures would already
> exist in the system. (though for example in Windows, signatures are only
> checked at install, not runtime)
My supply of free software is signed by the developer/maintainer and the
trust relationship established through GnuPG, and Keyservers. The OS has
facilities to check these at install time if you want. You'd only need
to check at run time if root had altered the executables - and he is a
pretty solid chap here ;)
Similarly when I distribute free software it is always accompanied by
signed MD5 hash of each file distributed.
So I don't think it is costly to do if you pick a suitable model.
The certificate authority approach is pointless until they provide
proper support for revocation, which most didn't last time I looked, but
I believe it is getting better. (I'm in the cynical group who believes
that the Certificate Authorities are a conspiracy to tax encryption).
But typically signing only proves the authorship, it doesn't tell you
anything about how well written (and thus compromisable) the code is, or
how trustworthy the recipient is ('anyone the certificate authority will
accept money off' - to paraphrase a comment), or how well protected
their keys are.
Signing is a fine approach, but I think sandboxing should take priority.
Here even if the code is subverted by malformed data, the key stolen,
etc etc - the damage is limited.
Lots of installed copies of IE seem happy to run any "signed ActiveX"
plugin - even when it is Spyware. Although I'm not clear if this is down
to a bad choice of defaults, or users not understanding that even signed
cheques bounce (indeed unsigned cheques don't get that far usually). One
more to check and switch to 'prompt' if you still use IE. Popular
spyware seems to go under inspiring names like spy.exe, trojan.exe etc,
but relatively knowledgable Internet users still manage to get it
installed against their wishes.
I'm sure there is a more appropriate forum - but then there are probably
web pages discussing it in great details. Of course neither approach
excludes the other.
--------------enig4ABC4761AB29945FA7E11DA1
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAJ8+yGFXfHI9FVgYRAuuiAJ9l3zax61mGnMu76llvOSH2ZYzr4QCfZ62y
NGsSkcdFbM11FYhRPfHI3DA=
=YlUs
-----END PGP SIGNATURE-----
--------------enig4ABC4761AB29945FA7E11DA1--
