Re: Embedding Simple MFC GUI app into website

In article news:<O60KpFw5GHA.696@xxxxxxxxxxxxxxxxxxxx>, Pete Delgado wrote:
The *whole* point of signing code is to ensure that you are able to
determine the origin of the code in question and that it has not been
tampered with since it ws signed.

Agreed.

Once the origin of the code has been determined, *you* decide whether to
allow it to run on your system. If you are indescreet, then you get what
you deserve!

Sounds great, doesn't it? In practice the end use is faced with a question
he doesn't really understand about whether or not to run some program he
doesn't know anything about, and is invited to inspect the contents of a
code-signing certificate that's all Greek to him. The cautious just give up,
the mad, bad, and dangerous to know just click OK.

The reality is that current codesigning technology assumes too much
technical ability from the end user, and places too much responsibility on
that poor bewildered individual.

Since you must obtain a certificate for code signing from the trusted
authority, it is unlikely that a "cracker" will obtain a valid certificate
from a trusted authority that names a reputable company that a user
would be likely to trust, hence your argument that this is an open
invitation to malware writers and system crackers is misleading at best.

If you put up a website with some cool new Trojan for download and put up a
welcome message saying something along the lines of "for your protection we
have used code-signing technology to ensure that the software you download
is safe and free from corruption, to use this technology you must accept our
root certificate into your browser's database ... follow these instructions"
... I bet you over 90% of users of the site would do it without a second
thought.

Look at the Mountain America phish ... people trusted the phishing site
*because* it was signed, and were not sufficiently skilled to examine and
interpret the phisher's certificate and see that they were not talking to
the real bank's site.

The technology is fine in theory, but it not correctly practised.

As a side note, we have had more systems compromised by people downloading
and installing the latest screen saver or opening word documents than we
have had by using web sites that contained ActiveX controls.

Could that be because web sites generally don't contain ActiveX controls,
because nobody lets their browser run them?

In my opinion Microsoft was irresponsible in the extreme by ever
spawning this hateful technology, and has done computer users all
over the world an incalculable disservice ...

I disagree. The technology was an effort for Microsoft to compete in a
space that was once dominated by Java.

I have to dispute your chronology: OLE Controls predate Java. Java 1.0 just
about predates ActiveX but it didn't dominate anything.

The technology has been useful -if only for intranet applications.
Certainly there are security reasons not to use it for a general
purpose web site as we have all discussed, but one cannot deny that
the technology filled a need at the time of its introduction and
can still play a role, however small, today.

I would certainly not say it filled a need. It has been used in any number
of insecure quick-and-dirty implementations that could have been done better
by other means; but it offers nothing that can't be done in other ways and
nothing can justify the way that it flies in the face of accepted security
best practice.

I suspect most people would have trusted a Verisign-signed
code-signing certificate in the name of Sony, but Sony was
responsible for distributing a (unsigned, as it happens) rootkit
on audio CDs a while back.

Your point is taken, but since the Sony rootkit was installed from a
CDROM and was installed as a result of an autoplay executable, it is
really not in the same category.

That's right -- I didn't mean to suggest that there was a direct comparison.
I was just making the point that most people would be likely to place some
trust in a name like Sony's, but even Sony are capable of releasing software
that you wouldn't actually want to run. If that rootkit had been in a
signed, downloadable, application most people would have run it because it
was signed by Sony and they trusted Sony.

Unless you have configured your system to always install
ActiveX controls, the browser will warn you before installing the control.
The Autoplay rootkit executable from Sony offered no such option -which is
one of the things that made it such a breach of trust and why Mark
Russinovich rallied against it.

I have autoplay disabled on all my removable media drives, don't you? At the
very least I want the chance to run a virus scanner over the disk before
running anything from it (it's not that I don't trust the on-access virus
scanner, just that I'm paranoid).

Google for the much-publicized phish attack in which an American bank
called Mountain America Credit Union was spoofed ...
[snip]
Again, your point is taken, but I don't hear you or Joe decry DNS, SSL or
any other web technology! If an authority, certificate or identity is
compromised, all bets are off for *all* web technologies that deal with
identity -not just ActiveX.

Agreed ... and I have been known to rail against some of those other
technologies. The arguments against SSL are much the same as those against
code-signing -- the technology is basically OK, but people don't check/don't
know how to check the certificate so it's far too easy to spoof. DNS is
intrinsically insecure, but if someone spoofs DNS and takes you to a bogus
site you should be able to tell that fact from the site's bogus SSL
certificate (remarks about spoofing SSL, above, notwithstanding).

It would be nice if DNS used a secure channel, but it doesn't.

Does this mean that we abandon the internet and computers because the
potential risks are too great? For some people, that is the right answer,
but for the majority of us the level of risk is acceptable given the
potential rewards.

No. Risks can be managed, and one way of managing them is to eschew
technologies that are just stupidly insecure and to prefer other
technologies that are more secure or can be made so. In my book, ActiveX is
one of the stupidly insecure technologies that we should all be studiously
avoiding.

One web site that I access has given me a smart card reader along with a
card that contains the URL of the site and my credentials. When I insert
the reader and card I am directed to the company web site with no need to
log in. Certainly this is a more secure process, but it too is subject to
the DNS flaw I described above.

That's nice ... depending on the type of card you;re using you may have a
tamper resistant security module with a secure key store (the smartcard) and
your card and the host can authenticate each other and establish a secure
communication channel. In that case if someone spoofs your DNS he can stop
you finding the server you want, but he can never spoof it (assuming the
system has been sensibly designed).

The point is that we can minimize our risks because of the internet,
but we can never eliminate them unless we plan to go back to doing
business in person. At that point, we become subject to other risks
such as being robbed etc.

Agreed.

Cheers,
Daniel.




.

Relevant Pages

  • Re: Embedding Simple MFC GUI app into website
    ... code-signing certificate that's all Greek to him. ... The reality is that current codesigning technology assumes too much ... Could that be because web sites generally don't contain ActiveX controls, ... code-signing certificate in the name of Sony, ...
    (microsoft.public.vc.mfc)
  • Re: Embedding Simple MFC GUI app into website
    ... particular technology is "evil" goes beyond common sense and increases ... ActiveX, in particular, is an antipattern for security. ... Since you must obtain a certificate for code signing from the trusted ... use it for a general purpose web site as we have all discussed, ...
    (microsoft.public.vc.mfc)
  • Re: speaking of rootkits
    ... versions of the Troj/Stinx Trojan horse which exploit the Sony ... File-Hiding Technique Alarms Security Researchers; ... Privacy and security experts charged that the technology built into many ... published an analysis showing that some new Sony CDs install software ...
    (alt.sys.pc-clone.dell)
  • Re: Embedding Simple MFC GUI app into website
    ... The problem with security is that so many people say "it doesn't matter". ... particular technology is "evil" goes beyond common sense and increases ... Since you must obtain a certificate for code signing from the trusted ... use it for a general purpose web site as we have all discussed, ...
    (microsoft.public.vc.mfc)
  • Re: Embedding Simple MFC GUI app into website
    ... particular technology is "evil" goes beyond common sense and increases ... ActiveX, in particular, is an antipattern for security. ... Since you must obtain a certificate for code signing from the trusted ... use it for a general purpose web site as we have all discussed, ...
    (microsoft.public.vc.mfc)
Loading