Full Disclosure mailing list archives
Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin
From: Andrew Clover <and () doxdesk com>
Date: Wed, 29 Oct 2003 15:59:16 +0000
Nick FitzGerald <nick () virus-l demon co uk> wrote:
Does their AUP/ToS/etc require that their certs not be used for such things??
I believe - and I haven't seen the agreement myself - that it says the signer's code may not be 'malicious'. This is of course difficult to define. If the software installs underhandedly, pops up porn and leaks browing habits, but its primary purpose is to make money for the attacker rather than the malice of causing harm to user, does it count as malicious?
Ownership of a certificate simply means that someone stumped up the cash (for a Thawte code signing cert that is about US$100/year) and the CA was "suitably convinced" that they really were (or genuinely represented) who they said they were (or represented).
Indeed. Unfortunately the "identity" is expressed as an arbitrary string which is of no use to anyone. There's a little further information in the cert, which the ActiveX download process does not allow to be shown, but not nearly enough to track down the real authors and hold them to account.
an Authenticode "all clear" means that if you were stupid enough to "trust" (in the big sense) a piece of signed code the CA can help you locate the rat-bag who signed it should you want to fry their balls...
Unfortunately this has turned out not to be the case with Thawte at least, who refused to disclose details for miscreants like the infamous Xupiter.
That Autheticode has been "sold" (and worse, accepted by some) as anything else but a poor-man's excuse for "nothing much" is somewhere between really sad and criminal...
Quite agree. And of course half the pages that use ActiveX downloads promote this with text claiming that Authenticode guarantees the code's safety. -- Andrew Clover mailto:and () doxdesk com http://www.doxdesk.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Bogus] Microsoft AuthenticodeT webcam viewer plugin morning_wood (Oct 28)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 28)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Lan Guy (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Valdis . Kletnieks (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Lan Guy (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin George Capehart (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Valdis . Kletnieks (Oct 29)
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Nick FitzGerald (Oct 28)
- <Possible follow-ups>
- Re: [Bogus] Microsoft AuthenticodeT webcam viewer plugin Andrew Clover (Oct 29)