Don't Trust Code Signed by 'Microsoft Corporation' 270
omarius writes "From the Microsoft Security Bulletin: 'VeriSign, Inc., recently advised Microsoft that on January 30 and 31, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation".' See the bulletin for more information. Brings a whole new meaning to the concept of 'Windows Update.' ;)" Most users probably ignore the name on a certificate presented to them anyway, but even that minimal protection is worthless if certificate authorities don't perform their job.
Re:That's what CRL's are for (Score:2)
A slightly better approach is OCSP (online cert status protocol), although that too has enough problems for at least two pages of writeup. The basic problem is that revocation doesn't work (once you've emitted a datum you can't retroactively take it back), which the credit card companies discovered about twenty years ago and which the X.509 designers may discover at some point in the future, although for now it's much more fun to fiddle with revocation protocols and mechanisms. Let's face it, as long as there are hordes of people willing to give you money for band-aids and pretend-fixes, why address the real problem?
Re:Uh.. (Score:2)
It may not be MS's fault in the slightest, but that doesn't stop their name from being all over it. And dammit, why does the parent to this post, a whining apologist, deserve Score:4?
hm... (Score:3)
In a perfect world, anyway...
- A.P.
--
* CmdrTaco is an idiot.
Re:Wondering... (Score:2)
...phil
Re:Some comments here... (Score:2)
The dates. Microsoft says that they received no legit certificates on the dates in question (Jan 29 and 30, 2001). If you check the date of the certificates and it says "Microsoft Corporation" on those dates, it's bogus.
And how many people are going to look at the dates?
If it's possible for MS to revoke those two, why can't the crackers revoke the real ones?
Microsoft didn't revoke them, Verisign did. The problem is that essentially nobody looks at the Revocation List.
...phil
VeriFucked (Score:2)
Re:Had to happen eventually. (Score:2)
"The only legitimate use for computers is games - everything else is a waste of time"
So, can you ever trust an automated software update again?
Sure, if you never use your computer for anything important ever again. Which pretty much relegates computers to only games.
Well, games and pr0n. Even my twisted 11-year old mind could not forsee the computer's role in the pr0n revolution.
Re:Some comments here... (Score:2)
IOW; if I'm in Fiji (opposite side of the international date line), and I check the cert at 12:00 noon GMT, could the UI tell me that the Jan 30, 2001 cert was actually dated Jan 31?
Re:Barf. (Score:3)
Ladies and Gentlemen, the barn door is open, and the genie is molesting the horses.
Re:Some thoughts (Score:2)
There is no way ANYONE, even Microsoft, can prove that it has not happened. But it will only take one counterexample to prove that it has.
And the current appparent lack of a counterexample does not prove anything.
Re:"Always trust content from Microsoft Corp?" (Score:2)
The danger is that the user will believe that the code really is from THE Microsoft.
Re:Microsoft screwed up by not using the Verisign (Score:2)
Or MS could have noticed the problem when VeriSign first started issuing code-signing certs, complained to Verisign, and had them put the CDP into the certificates.
Either way, MS is much more at fault about this than VeriSign, since they made NO effort to check that their browser supported revocation of certificates for signed code.
As I said, VeriSign screwed up but corrected their mistake within two months. Microsoft has been so negligent that they CAN'T POSSIBLY correct their mistake for many years, because so few people will apply their patches.
The security needs to be built into the software at the outset, not patched on later.
Microsoft screwed up by not using the Verisign CRL (Score:4)
Instead, they chose to ignore the possibility that the security might be flawed and allow revoked certificates to be used. They didn't give a damn whether someone got a fraudulent code-signing certificate for J. Random Software Company, and the browser couldn't tell that it had been revoked. They've only been prompted to take action when this unexpectedly happened using their own name.
VeriSign made an error and corrected it within two months. Microsoft made a bigger error and has taken five years (and counting) to fix it, then has the gall to blame it all on VeriSign.
Re:Had to happen eventually. (Score:2)
I have to agree that this research is very interesting, but everything that I've seen and heard about that requires a formal model of software becomes too complicated to use when applied to anything beyond trivial programs. This may be useful for something like little web applets, but forget trying to do something like a payroll, word processor or language interpreter in it.
-"Zow"
Trust who? Revoke what? (Score:2)
Okay, there's plenty to be said about this article, but two things that stand out to me are:
And how many people will go to install this update and click "OK" to accept the certificate signed by "Microsoft Corporation"? I mean, they heard that there was some serious problem in Windows, so they better apply this patch right away and the signature on the patch says that it's from MS, so it must be okay, right?
And this will prevent how many commercial web sites from working? "I just did what Microsoft told me to to fix the problem and now I can't buy anything at Amazon - not even with 'One-click' shopping."
Normally, I wouldn't want to see Microsoft take legal action against anyone, but I really think they should ream Verisign a new one for this. Maybe Verisign should learn not to take their job so lightly then.
-"Zow"
Re:Trust who? Revoke what? (Score:2)
Oh, you're probably right, which is why you or I would never stand a chance to go up against them if Verisign screwed us over like this, but for all the lawyers that MS has, I imagine that they could make a case that stands up in court (I mean, look at what they pulled at the Antitrust trial - if they can use a defense like "innovation", I'm sure they could find something to attack Verisign with). Of course, IANAL, and even if I were, I wouldn't work for MS.
-"Zow"
This Shows that (Score:3)
Separate the nerds from the company - fast! (Score:2)
So... why don't you? You're essentially saying that ``the compnay is nerds like you and me'' but really, how much of the company's personality comes from said nerds, and how much from obsessively competitive people like William Henry Gates III?
Time and time again, reading the testimony of ex-Microserfs, you see statements like ``we adopted the Microsoft culture'' which was...? Nerdism? Gentle altruism? Quiet pride? No, it was always obsession, competition, fear, elitism (FY-IFV badges), a cog-in-the-machine mentality.
You may fervently hope otherwise, but Microsoft is at heart an extension of Trey Gates, not a collective manifestation of geek culture with a few management problems. It has a track record, not ``had'' one. The mentality which gave it that criminal record is what drives Microsoft along. Separating Microsoft from their history is like unto separating the eggs from a well-cooked omelette. Remember the parable of the frog and the scorpion.
Much better to separate the nerds from the company, than the company from the nerds. That way, the nerds won't be so badly hurt when Microsoft bluescreens, which I suspect will happen with shocking speed.
A better solution (Score:2)
I think I should make up a CA called `Microsott Corporation' to self-sign these things with... (-:
The idea of an Open CA is a good one, but... how do we get M$ to include them in the list of trusted authorities within IE? A website with an audit trail of the emails/letters/transcripts from such an attempt would be interesting. (-:
Re:True story: Why you shouldn't trust Verisign (Score:2)
What's funny about the situation with washirv (the original poster) is that, OK, he's got a copy of the public key. But what good is that going to do him? Without the originally generated secret key, the server can't verify itself to incoming SSL connections.
The information he got from Verisign was almost useless, and his company will have to shell out another $500 for a new certificate (which as someone else pointed out isn't a bad idea anyway).
The Future... (Score:2)
However it is the WAY these things are set up. On how corp's deal with each other. On how systems and users are protected from everything except corporative interests. On how corp's try to gather everything into a weird electronic Mega-Bazaar. Do you think this is not so dangerous?
Note just how fast they reacted to this. It happened in January. If I'm not mstaken we are already a week before Mars ends. Can anyone be sure that these certificates were not used already?
Re:The system needs reform (Score:2)
Who will trust the trustees????
--
Re:Barf. (Score:2)
Half right. VeriSign *DID* think of this, and followed the documented standard protocol to revoke the certificate.
Microsoft has chosen not to implement a protocol to accept those revocations. That isn't VeriSign's fault, that's 100% grade-a Redmond stupidity, stemming from the facts that:
1) Their security people come from a Windows world.
2) More importantly, their marketing people write checks the programmers can't cash.
Don't blame VeriSign for this, it weakens your case on all the other things you might choose to blame them for.
-
Re:This is serious, but not as serious as it could (Score:2)
That's all well and good - until I need to install a new system. If I've never run windows update before, and have never been asked to accept a microsoft certificate, how do i know the one i'm receiving is really from microsoft, and not a man-in-the-middle attack, or a dns-spoof?
--Cycon
Re:Uh.. (Score:2)
Actually, yes I trust Microsoft. To a limited degree, anyway. I decided years ago that if I was going to play in MS's sandbox, I'd play by their rules. It was just too fscking hard to install Unix-like utilities, editors, and what-not, just to have the whole house of cards come tumbling down because something expects filename case sensitivity or bare LFs or some other niggling little detail.
I went through a period of trying to do things "the right way" -- Backing up old versions of software before installing new, stuff like that. And you know, that didn't work either. Because unless you get all the crap they put in the Windows directory and the registry, you're screwed when you try to back out a change anyway.
So, when in Microsoft, do as Bill Gates does. I'll let programs crap all over the Windows directory and registry. I'll take everything offered by Windows Update. It's the MS way. It's stupid, it's insane, it's plainly the wrong way to design an OS, but you gotta play by the OS's rules or you'll go insane. (I'd have the same problems trying to apply MS or Mac conventions to the Unix world. It just don't work that way.)
So, yeah. I've trusted MS far enough to install their OS on my machine, I may as well trust 'em to give me an ActiveX component now and then.
But never, ever, ever install the Comet Cursor!
Chelloveck
Re:Slitting the American Underbelly -- A Commentar (Score:2)
OK, back that up with some actual facts . . . Still waiting . . . OK the fact is this has never happened or even been attempted (yet). Quit with all your over-dramatized, emotional statements, please.
Check their issuance lists (Score:2)
Anyone have any lead on the certs we should be avoiding? Are they on their CRL (even though codesigning wisely (cough) doesn't check the CRL)?
Advice to potential Slashdot critiquers [OT] (Score:2)
What about the guy who misrepresented himself? (Score:2)
That's what CRL's are for (Score:5)
It is because they haven't bothered to do this yet that this is possible - think about it - if CRLs were implemented, and every application that used Certs checked the Revocation list of the issuing CA, this problem would have a trivial solution - Revoke the Cert, and this "fraudulent" issued cert becomes useless.
But since Microsoft, Netscape/AOL, and most other vendors of Certificate aware software haven't bothered until VERY recently to even think of the CRL, then this is now a rather large problem...
ame)
Anyways... I hope this causes them to go and actually implement RFC compliant CRL capabilities in all of their products - would make those of us who work with them VERY happy....
McAlister
MicroSoft Should Be Listing...... (Score:2)
Microsoft tested the following products to assess whether they are affected by this vulnerability. We will waive normal support guidelines to provide remediation for all operating systems that are still in widespread use, regardless of whether they are normally supported or not.
* Microsoft Windows 95
* Microsoft Windows 98
* Microsoft Windows Me
* Microsoft Windows NT 4.0
* Microsoft Windows 2000
Now, maybe I'm wrong here. But it seems to me that this problem affects other operating systems, not just windows. What about windows 3.11? While it is mostly phased out, it would affect anyone using it who happened apon a website that had these certificates on them. What about a linux or mac user? It certainly would also affect them if they came apon the website. Now, to my knowlden, MS doesn't make any linux software, so it doesn't do anything with ActiveX, but what about Macs? There are versions of Office for macs, wouldn't it affect them? Seems to me that someone was a bit cloud headed when they wrote this.
Re:Wondering... (Score:3)
?Microsoft Corporation? (Score:2)
Re:?Microsoft Corporation? (Score:3)
It's still VeriSign's fault then (Score:2)
It seems that VeriSign really dropped the ball here by first not properly verifying the submitter, then by not providing a way of getting a revokation out in the case they made a mistake. This is just poor planning overall.
Not that I'm surprised, they also own Network Solutions [netsol.com]... birds of a feather.
CA's in general (Score:3)
This goes great with this [slashdot.org] article from a couple of days ago.
I used to think that the whole idea of paying a shitload of money to goons like Verisign was that you could trust the certificates issued by them. If they make mistakes like this, how can I trust them anymore? Furthermore, how can I trust the certificate any ecommerce site that uses their certificates?
This is a huge problem for all CA's if this is a precedent. I'm really curious to see what, if anything, Verisign will do about this.
Re:That's what CRL's are for (Score:2)
OCSP = online status checking protocol
This means that instead of checking your cert against a huge CRL (that you have to download every day) you just query the appropriate OCSP responder for that issuer, and you do a realtime query.
The dialog should be of the type:
software xyz presented certificate abc: what do you want me to do?
accept cert refuse cert check cert cancel
where 'check cert' does a query. Problem with this approach is that they have to beef up their hardware to handle all these requests, but if you don't care if the cert is valid at all, why even bother with certs in the first place.
Re:Always trust content from Microsoft Corporation (Score:2)
This post is Verisign certified Microsoft content. Trust us, it will work. Really.
---
CRLs are not the long-term answer (Score:2)
 
CRLs are the nuclear waste of the PKI industry.
They never go away, they keep getting larger, and eventually, there will be no place to keep them :-)
All PKI suffers from this (Score:5)
They super heavy deadbolts on my front door are useless if I pass out they key. The electronic security system is just a bunch of lights and buzzers if I give out the passcode or everyone ignores it. The extra heavy combination lock is just dead weight if the hinges of the safe are on the outside of the door.
Public Key cryptography is only as strong as the security on the key. The article says that this doesn't fit the strict definition of a security vulnerability, presumably because it doesn't break the software. Well, I'd like to disagree. Part of the product, part of what M$ sells with the promotion of signed inActiveX controls, is that the pieces of code are trusted. This is not a piece of software they are selling, it's an entire system. The software is only part of it. The system has been broken. This makes it a security vulnerability in the same way that giving out keys to my front door and the combination to my safe are security vulnerabilities.
The gist of my rant, and the point I'm trying to convey, is that systems are more than just the software. To concentrate only on one part of the system when defining terms to describe the safety of the whole system is foolish.
Re:Uh.. (Score:2)
It's a code-signing certificate. Not a certificate for a web site.
Even then, people have thought of this problem. That's why you revoke certificates. The only problem is that Microsoft doesn't check for revoked certificates. This has been brought up before, with no action on Microsoft's part... until now, when it's too late.
Bigger problem (Score:3)
I dunno, but it seems to me that they have the bigger problem. We put our trust in VeriSign to properly identify people requesting certificates. That trust has been broken now.
---
Re:Uh.. (Score:2)
A few days back we had the whole thing about "why are these certificates so expensive".
Self evidently their procedures for checking are (or were) insufficent.
Re:Always trust content from Microsoft Corporation (Score:3)
Trust relationships with cryptography (Score:5)
But nowadays if a company becomes untrustworthy through malicious intent or just plain incompetence it's not possible for users to 'un-trust' a certificate authority trusted by the browser/software manufacturers.
There should be a higher degree of control at the end-user as to which CA's are trusted.
-- Greg
Wondering... (Score:2)
Re:Uh.. (Score:2)
"Microsoft -- a name that you shouldn't trust.".
--
Re:It's still VeriSign's fault then (Score:2)
It would appear that as a result of this, MS is also providing users with the ability to supply personal CRLs. -- Not that I'm paranoid enough to probably ever need to build one, but you never know
With a CDP, the Certificate sitner is telling you who they are, and where to find the CRL for that cert. This makes it computationally feasible to check the CRLs for each cert (presuming that you're online!). It would also (presumably) make it possible for a certificate authority to segment their database, and provide different search points for various groupings of certs -- thus minimizing the work needed for any database serving up CRLs.
--
Re:Bigger problem (Score:2)
Sure, MSFT will have a patch out for W95 through XP. But given the number of Solaris boxen out there still running Sendmail 8.6 - how likely is it that every Joe-average windoze luzer in the world will apply the patch?
Someone's gonna make a lot of money off this cert. Illegally, yeah. But it's gonna happen. Given the bits about the organized cracking attempt made on the banks recently, this scares the living fuck out of me.
Re:It's still VeriSign's fault then (Score:2)
s/still/operating to spec, and as designed from Day One, this design flaw always was/g
Re:The worst problem of all (Score:2)
Stop thinking "cracker", "portal page", and "0wn j00", and start thinking "criminal", "financial institution", and... well, "0wn" is the right word, isn't it?
Nobody takes the kind of risk this guy took without a reasonable expectation of reward. The individual(s) who got the certs is probably not the group who ultimately intends to use them.
Re:Conspiracy (Score:2)
Actually, the first thing that went through my mind was "I'm glad NSA is gonna be all over this."
The number of users likely to click "yes" to the question "Always trust certificates from Microsoft Corporation" is staggeringly high. In the absence of a viable CRL (certificate revocation) capability in browsers, these certs, if (when?) they fall into the wrong hands, are dangerous weapons.
If the "wrong hands" are organized criminals, the stability of the banking system could be at risk. If the "wrong hands" are agents of another government, it could get even worse.
Re:This Isn't Really A Microsoft Story. (Score:2)
Re:Bigger problem (Score:3)
pardon my ignorance but is there an "open / free" (im using the terms loosely and not interchangebly) CA out there? I know that there was an Ask Slashdot about why SSL Certs are so expensive (here [slashdot.org] for the curious). I agree with the position that certs are issued typically for piece of mind, but would it be practical to implement an open standard of secure communication specifically for browser / server communications or is SSH adequate for this? Obviously Im not a security expert, but I am a concerned person who would rather place their trust in an open standard than in a hidden company that requires "blind faith"
--------
"Counting in octal is just likst counting in decimal--if you don't use your thumbs."
The system needs reform (Score:5)
Then who will you trust?
With the amount of money verisign requires you to pay for their various types of certificates, you would think that they could take the proper steps to ensure that the application is valid? A phonecall to the posted number for the company perhaps?
Running a script to generate a key does not cost hundreds of dollars, we are paying for the extra for the cost of validation. I expect Verisign to DO that validating!
Re:Bigger problem (Score:2)
If your browser doesn't at least do something to actively "ask" the Authority about the certificate, the system seems broken internally. It may be hard to forge a certificate, but it's not impossible (although I don't know if anyone has that sort of computing power lying around). Still, you could make up a lot of wasted time in the time a fraudulent ticket would be working.
Oh well.
Wasn't there a DNS problem not too long ago??? (Score:2)
If Microsoft has been compromised as of Jan 30th, what's the probability that their software updates website has been spoofed? Even if it hasn't happened, its food for thought.
And, if this event has occurred, all MS users could be effectively fsck'd if those "critical" updates were trojan in nature (or worse). Imagine the implications if your PC were happily sending all your correspondence, stock trades and other financial transactions to a foreign power. Imagine if you are a DOD or gov't employee or contractor (Or a high ranking politician). The potential for cyber-terrorism from this incident is rather extreme.
Not that I'm an alarmist or anything....but when did the stock market start taking a dive?
RD
Re:That's what CRL's are for (Score:2)
RD
Slitting the American Underbelly -- A Commentary (Score:2)
Some may argue that our PKI infrastructure is in need of review. Whether or not this is true, clearly we must consider whether the products we use can be considered safe. Microsoft is aggressively patching a hole in their Outlook product so that certificates can be checked against so-called "Certificate Revocation Lists". And, while many think CRLs are new, they are not. The specification for CRL's has been available since at least November, 1993. So, why has a critical feature of PKI infrastruction been overlooked?
The pattern of attack against Microsoft began last year. In an article "Microsoft Hack wasn't espionage" by Kevin Mitnick (Nov. 5, 2000), Kevin point out;
"Most newsworthy was the possibility that Microsoft's highly guarded source code was compromised and possibly misappropriated. The Wall Stree Journal reported that the hacker might have had access to Windows or Office 2000 source code...Only the hacker and, quite possibly, Microsoft know the real truth."
Today, on Security Focus, there's another article with the headline "White House: Hack attacks are new cold ware". The author, for those interested, is Kevin Poulsan.
In this article, it is stated that "Virtually every vital service- water supply, transportation, energy, banking and finance, telecommunications, public health -- all of these rely upon computers and fiber optic lines, switches and the routers that connect them. Corrupt those networks and you distrupt this nation.", Condoleezza Rice.
Our nation runs on computers. Many critical infrastructure systems can be compromised by the simple dismissal of a security warning about a "Microsoft Certificate". But, has anyone stopped to think that we may already been compromised?
Bind, that daemon that tells computers where to locate a resource, has been discovered to have flaws. Less than a month ago, there was a big concern that a well planned attack could take down the internet as we know it. If one recalls, there was an incident where an ISP on a South Pacific Island introducted false DNS data to redirect traffic to "their" servers.
If one of those servers was a spoofed "Microsoft Update" site and people casually dismissed that security warning that may have popped up on their screens (Hey, it's from Microsoft, right), millions may have download malicious code right into their operating systems, word processors, or whatever. Given the fact that the source code for Microsoft's OS and Word products may have been compromised in the fall of last year, it would give ample time to develop a functional trojan disguised as a security update or critical update.
Open Source developers aren't immune either. Occassionaly, some rogue hacker inserts malicious code into the linux kernel or utility source. If undetected, we may all be compiling in those changes and thereby compromising our systems as well.
Clearly, something needs to be done. Software that uses PKI must check CRLs for starters. Certificate vendors need to check identification a bit more closely. And, legislation must be enacted to reduce the liability to individuals whose digital certificates may have been compromised. Finally, the punishment for illegal use of a computer system and intentional computer virus, release should be punishable by severe mandatory sentences (20-25 years would be a start).
I have never been a strong advocate for cyberpolice. But, as the frequency of attacks and the damage estimates rise, it makes one wonder.
RD
Re:Slitting the American Underbelly -- A Commentar (Score:2)
Fortunately, it *WAS* caught and the situation rectified by removing the malicious code and reposting on CVS. But, *IT* did get out there. Whenever you have a lot of complex code and many fingers in the pie, this situation can and does occur.
So, before you condemn me for my opinions, jump off your high horse and get a grasp on reality.
The argument that there are more eyes on the code and somebody will catch it is not necesarrily true. If the code looks beneign or appears to work as expected, that code probably will not be inspected.
Open Source, while a wonderful thing, is not immune to sculdugery any more than proprietary code if vigilence is not maintained to keep the code pure.
Re:Slitting the American Underbelly -- A Commentar (Score:2)
While I was in the military, we had a virus problem. We installed AV software on all machines. Every disk was scanned prior to sending them to the shore based communication facility.
Yet, invariably, when the disks were returned to us and we prepared new messages, the virus was back. As it turned out, the virus was on a PC at the communications facility and they were spreading it unwittingly. The internet was only an academic oddity then...so where do you think the virus came from?
Major corporations use MS software. Vigilent administrators are always downloading the latest security or critical update to keep their systems in top form.
The fact that the identity theft was not made public for almost two months is a scary thing. This means that if the original MS intruder got the OS or Word source code in the fall, they had plenty of time to make malicious modification.
Couple this with the hiccups on the web lately (DNS and router problems at major ISPs), and there is the potential for some serious damage to have been done. Has it? I don't know.
Similarly, if somebody managed to get a modified service pack out there, it could easily spread before the dame is realized just by the sheer goodwill nature of many admins to help others.
Scaremongery? In some respects, yes. But, the fact remains that our systems are vulnerable and only due vigilence will slow the tide of hacker attacks. For this potential scare, I do blame MS as they have known their identity has been compromised and their software does not handle CRLs. I blame Verisign for nonchalantly issuing a certificate in Microsoft's name without proper identify verification. As a result, there is a window of opportunity for damage to occur.
That so called "spanner in the works" could be as simple as somebody unwittingly upgrading their systems will altered software or having played a game with an embedded trojan program during those dull moments.
The manual control you refer to only applies if people are cognizant that there is a problem. If the altered software makes all appear fine, then you've got a real problem. Don't you? Now, couple this with undermanned facilities during the late night shift...get the point now?
It happend ten years ago on a military installation. Why can't it happen in the civilian workplace?
They don't call it a TRUST system for nuthin'... (Score:2)
What more do you want?
Why don't microsoft sign their own ? (Score:2)
Given Microsoft's unique position in the browser marketplace, why do they not run their own certificate servers and include themselves as one of the default certificate authorities ?
It's not as if they show much concern about breaking compatibility with other browsers (even earlier versions of their own) so what's going on ?
Re:True story: Why you shouldn't trust Verisign (Score:2)
But the engineer who had left could very well have taken a copy for himself; and use that for his advantage one day...
Always trust content from Microsoft Corporation (Score:2)
No big surprise (Score:2)
Re:Trust relationships with cryptography (Score:2)
I don't know about IE, but Netscape most certainly does allow the user direct control over what root CA's he or she trusts. The default is set up for you to trust all of the normal ones, but go to:
That is all there is to it...
Re:Uh.. (Score:3)
Hey, I know how to solve this! (Score:3)
Yes, I'm joking.
Re:MicroSoft Should Be Listing...... (Score:2)
This is serious, but not as serious as it could be (Score:3)
So it's still a big deal, but if you keep that little bit of knowledge in hand, you wont have to worry (to much)
----------------------------------
DMVs and/or Post Offices should certify IDs (Score:2)
The answer: they can't do as good a job as government agencies can.
Governments make ideal CAs: they issue birth certificates, drivers licenses, passports and they are, or tend to be distributed. I.e., different govt agencies issue different ID docs and can verify each other's documents, usually by requiring people to submit multiple IDs from different sources -- the idea being that to fake your ID you must fake ID documents from multiple agencies, a task that is, hopefully difficult.
Ultimately you can only approach 100% certainty of a person's ID, and the best way to do it is by requiring and reviewing multiple claims of ID from different sources. A birth certificate can be validated by contacting the issuing authority. A driver's license can be validated by checking the picture on it and then checking the license's validity with the license's issuer. Hopefully the issuers are well-known and hopefully the communications with them are somewhat secure (circularity rears its head). And so on.
In fact, DMVs (Dept. of Motor Vehicles) in the States (ok, New York's at least) have ID point systems whereby they assign different point totals to different kinds of IDs and require that you submit enough IDs to add up to a minimum ID point total in order to establish your ID to them. I think the U.S. Post Office does the same sort of thing for passport applications.
So, IMHO, government agencies would make very good CAs. At least they should sell ID verification services to third party CAs (in a way they already do: notarys public can attest to an individual's ID and the notarys can be verified with the state and can be contacted by the CAs to verify their IDs).
Of course, it would be nice if there were a smartcard standard that all citizens (of a country or of any country) could use and to which their governments could download certificates....
But hey, even then, certificates can be stolen; passwords can be stolen; fingers can be cut off; people can be coerced into providing their biometrics ("stand in front of that retina scanner and act normal"); OS security can be broken and CA public keys modified/added.
Oh well...
So... (Score:2)
So does Microsoft seriously believe that the public, the same audience to which Microsoft caters as the "lowest common denominator" when developing such novelties as the talking paperclip, will suddenly divine an understanding of public key cryptography and the meaning behind these certificates? I think this might be the death knell for Microsoft as far as the ideas of "trust" and "security" are concerned.
Good riddance.
Re:This Isn't Really A Microsoft Story. (Score:2)
No, but I would expect my bank to have the capability to cancel a stolen credit card, by having the ability to check against a list of cancelled cards.
The problem with IE is that it has no method of doing such a check on a Verisign certificate. Oh geez, IE isn't compatible with the #1 CA. Obviously, entirely the CA's fault.
OK, it was human error on Verisign's part. However, it was caught by their internal people. It should be a dead story by now. That it isn't is largely MS's fault.
Re:Had to happen eventually. (Score:3)
Yeah, maybe. Research is currently being done on how to do this without the idea of a trusted party. The general idea is that the code comes with a proof of its safety (or a proof that it meets some other specification), which is "easily" verified by a small piece of software on your computer. It's not a panacea (there is a world of difficulty in specifying the right policies), but it could certainly stop updates of application-level (or especially applet-level) software from containing naughtiness.
Check out http://www.cs.cmu.edu/~petel/papers/pcc/pcc.html [cmu.edu] for more info on Proof Carrying Code.
Re:Wondering... (Score:2)
=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=
Re:All PKI suffers from this (Score:2)
Verisign issued a certificate containing the Microsoft name, which it should not have. Most likely this is human error. This kind of thing happens all the time, from the inocuous (name misspelled) to the not-so-good (name of summer intern happens to be the same as the CEO). PKI has revocation options, including certificate revocation lists (CRLs) and online certificate status protocol (OCSP) to handle the case in which you want to stop trusting a certificate that you issued.
So, Verisign issues the certificate, realizes that the dude doesn't work for Microsoft, and then revokes the certificate and calls Microsoft. Verisign has done their duty here, and although they get some of the blame for the initial certification, they have issued a revocation list containing these certificates. Verisign has now done its job.
Unfortunately, Microsoft has crappy PKI capabilities in their products. It wasn't until Internet Explorer 5 that they could handle CRLs at all, and that's only in the case where the CRL is available over the web (HTTP:) and the certificate contains a pointer to its CRL (called a CRL distribution point or CDP).
So, Microsoft's difficult situation is that they must now patch the client software on EVERY Microsoft client that uses Microsoft Crypto API (including IE, Office, and Win2K to name a few) in order to add this new CRL and be able to check it. If their PKI was able to check an OCSP responder at Verisign, or always knew that they could get Verisign CRLs from ldap://ldap.verisign.com, they wouldn't have to issue this press release and a patch at all.
--Peter
DISCLOSURE: I work for Entrust Technologies [entrust.com], a company which makes PKI software that does not suck.
What about a slightly different name? (Score:4)
It should be possible for me to get a Verisign certificate for 'the Microsoff corporation'. Most users won't notice this, so I can trick people into running my code.
Is there anything that can be done against this? Has Microsoft trademarked all 'Microsoft'-alike names? Can Verisign refuse to give out a certificate?
--
Uhh (Score:3)
I've had that one covered for the last 18-24 months or so...
--
Re:Usually pretty obvious (Score:2)
True story: Why you shouldn't trust Verisign (Score:4)
And the bastards charge money for this service.
Microsoft is innocent here (Score:3)
Verisign gave out the wrong certificates. If browsers now already have stored these certificates as 'safe', users should remove them, but it's VERISIGN's fault. They should have been more careful when they gave out the certificates. the person who now got the certificates could also have used 'Sun' or 'Red Hat' or any other company. Would that company then be 'the faulty'? NO.
--
Re:This Isn't Really A Microsoft Story. (Score:2)
I infinity bad Japanese translation you!!!
This Isn't Really A Microsoft Story. (Score:4)
This is a security story. The lock logo would have been more appropriate. Oh, wait... every time MS is mentioned on /. you get a spike in ad revenue. Carry on.
Some comments here... (Score:5)
I find it very fascinating that MS doesn't mention anything about the hazards of running code from an unknown author.
I would also hope that Verisign is taking a very serious look at their procedures - if CAs don't verify identities before issuing certificates, what good are they?
For that matter, how were individuals - MS employees or not - given keys in the company's name? There's no need for an individual employee to have those - especially before calling to check with executives within the company.
Re:Uh.. (Score:4)
Guys, Microsoft is not nearly as evil as you think it is. Yes, they had a track history, and yes clearly Bill Gates is a dick, but there are a lot of cool OS and game programmers, and hardware specialists that put out some wicked shit. You have to separate the company from the nerds like you and me.
Hahaha! (Score:5)
Surprised? - Not really
Worried? - No more than yesterday
Still accepting certs without EVER reading them? - You Bet Your Sweet Ass!!!
It's not just an OS, It's an adventure!
WTF? (Score:5)
Re:WTF? (Score:4)
Barf. (Score:5)
VeriSign has revoked the certificates, and they are listed in VeriSign's current Certificate Revocation List (CRL). However, because VeriSign's code-signing certificates do not specify a CRL Distribution Point (CDP), it is not possible for any browser's CRL-checking mechanism to download the VeriSign CRL and use it. Microsoft is developing an update that rectifies this problem. The update package includes a CRL containing the two certificates, and an installable revocation handler that consults the CRL on the local machine, rather than attempting to use the CDP mechanism.
Translation: This cert is bad, but the authority issuing it can't tell you this, even though the authority claims to be responsible for doing so. Microsoft and said authority didn't think of this, and so they now have to come up with a totally kludgey patch which they promise won't break anything else.
This is so fucking confusing even to someone who is fairly technical - can you imagine Joe User's reaction to this? Makes code signing pretty much useless.
Uh.. (Score:5)
Getting you money's worth (Score:3)
-------------------------
Here's a thought. (Score:3)
What if the hacker(s) releases a patch before MS releases one?
Had to happen eventually. (Score:4)
That may sound like a bold statement, but if you think about it for a moment, can you ever trust an automated software update again, even a "secure" one?
OK,
- B
--
And this makes Hailstorm all better! (Score:3)
Re:True story: Why you shouldn't trust Verisign (Score:3)
The certificate would also be in the VeriSign LDAP directory and would in any case be handed out to everyone who accesses your Web site using SSL
With certificate based PKI the security does not lie in keeping the certificate secret. The purpose of the certificate is to authenticate your public key.
The security depends on you maintaining the secrecy of your private key. That was generated by your engineer on the server itself and VeriSign would never see it.
So calling up VeriSign and asking for a copy of the certificate does not constitute a security problem. It is like telling someone your PGP fingerprint, or someone downloading a keysigning from BAL's MIT key server or whatever it does not compromise your key.
Re:Wondering... (Score:4)
That dialog refers to the organization that signed the certificate. Most browsers (at least, IE and Netscape) come equipped to trust any certificate signed by Verisign. When you go to a page with a Verisign cert, the browser will trust the certificate, regardless of what company actually owns it.
Since in this case the certs were purchased from Verisign, your browser won't have any problem at all with them (it'll just assume that Verisign is trustworthy.) You won't get that dialog at all. If you look at the security info for that page, it'll show the page as registered to Microsoft corporation. Generally MS signs their own certificates, so it would be a little odd to see a cert owned by MS and signed by Verisign (although they may actually do this.)
Usually pretty obvious (Score:3)
The files tend to come from domains like, oh, say, microsoft.com or mechwarrior4.com...
Now, of course, if you are trying to download 'http://ftp.goatse.cx/hotgaypr0n.exe' and it's signed by MS you a) have other problems and b) deserve whatever you get if you accept the file.
Of course, this is probably not too good for Verisign, as they now look like dumbasses, and have probably pissed off MS to boot.
Brant
So how did a class 3 get out? (Score:3)
http://www.verisign.com/repository/CPS/CPSCH2.HTM# _toc361806948
[verisign.com]
http://www.verisign.com/products/asb/faq.html [verisign.com]
Especially interseting is the Assurance level that comes with this cert.
Even if these certiciates are never used, there will be some pretty heavy US govt. involvement as a result of this.
Anyone know if this has happened with any companies less visible than MS? A quick search did not turn anything up, but if Versign's procedures could let something like this slip through...
Re:This Isn't Really A Microsoft Story. (Score:3)
For some reason /. is assuming that Nerd=='someone who hates MS' and News for Nerds==Microsoft-bashing, using any means possible?
Get a life and realize that there are actually many many pro-microsoft (or at least neutral) geeks out there also, who would sometimes rather like to read something where the primary goal would be to tell people about some interesting/cool stuff done by MS, not just bashing. Right now you are just missing all these potential readers who are getting news from more balanced sources elsewhere. Don't get me wrong, I think /. is very cool but it's really harming itself more this way.