[1308] in RISKS Forum
Re: Myths about digital signatures
daemon@ATHENA.MIT.EDU (Theodore Y. Ts'o)
Fri Feb 21 16:12:06 1997
Date: Fri, 21 Feb 1997 16:11:27 -0500
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: Edward Felten <felten@CS.Princeton.EDU>
Cc: risks@MIT.EDU
In-Reply-To: Edward Felten's message of Wed, 19 Feb 1997 17:12:43 -0500
Date: Wed, 19 Feb 1997 17:12:43 -0500
From: Edward Felten <felten@CS.Princeton.EDU>
* Myth 2: If X has signed a program, and I trust X, then it is safe for me
to download the program.
Reality: There have been plenty of incidents of reputable and well-meaning
organizations spreading viruses or serving as the base for security
attacks. Before accepting a download from X, it's not enough to ask "Do I
trust X?" One must also ask questions like "How carefully has X managed
his cryptographic keys?" and "What is the probability that X's security has
been penetrated?"
It's even worse than what you described. Even if X has carefully
managed his cryptographic keys, and X's security hasn't been penetrated,
X might not have designed the component carefully, or have executed a
competent implementation of that design.
For example, if an Active X component has a loophole where (with the
right document) said component can be induced to interpret and execute
arbitrary Visual Basic statements, even if the signer was honest, and
legitimate, and properly went through all of the Microsoft certification
procedures, it still might be possible to exploit a security bug in the
Active X component. The Java security model at least *thinks* about
this issue, where as the Active X approach completely punts about this
concern.
So this is a double-edged RISK, combining the RISK of people not
understanding what the digital signature means, and the RISK of more and
more complex applications with powerful macro facilities being used in
interesting ways (the prime example being the Word concept virus; the
demarkation between code and data can get awfully blurry!).
Both of these RISKS aren't new ones, but when combined with the web and
the automatic downloading of Active X components, the potential for
problems caused by this combined set of RISKS is quite scary and
sobering.
- Ted
