[cryptography] How are expired code-signing certs revoked?

lodewijk andré de la porte lodewijkadlp at gmail.com
Wed Dec 7 21:12:47 EST 2011


I'm afraid "far more effective" just doesn't cut it. Android has "install
.APK from third party sources" which you'll engage whenever you install an
APK without using the market, trusted or not. You can just put you malware
on the market though, they can then pull it back off 'n all but just
package it in "Sexy asian girls #1283" and the like with different accounts
everytime. You're still in a bit of a sandbox though, can't help that
(although some do say it's not worth that much).
The appstore has heavy code review (so they say) that'd prevent malware
from entering the appstore, so far so good, it also prevents some
legitimate and a whole lot of questionable stuff. So people invented Cydia.
I never used it and I sure as hell didn't check it security features, but I
think you see where this is going.

Naturally, as with all security, implementation matters a lot. I'm not
saying I'm against signing stuff, I'm just saying I don't think it ever
helped me.

Op 8 december 2011 02:54 schreef Marsh Ray <marsh at extendedsubset.com> het
volgende:

>
> On 12/07/2011 07:01 PM, lodewijk andré de la porte wrote:
>
>> I figured it'd be effective to create a "security awareness group"
>> figuring the most prominent (and only effective) way to show people
>> security is a priority is by placing a simple marking, something like
>>  "this site isn't safe!"
>>
>
> I thought the international symbol for that was already agreed upon:
> goatse.cx
>
>
>
> On 12/07/2011 07:13 PM, lodewijk andré de la porte wrote:
>
>> I'm afraid signing software is multiple levels of bullocks. Imagine a
>>  user just clicking yes when something states "Unsigned software, do
>> you really want to install?".
>>
>
> You're just thinking of a few code signing schemes that you have direct
> experience with.
>
> Apple's iPhone app store code signing is far more effective for example.
>
>
>  Imagine someone working at either a
>> software or a signing company. Imagine someone owning a little bitty
>> software company that's perfectly legitimate and also uses the key to
>> sign some of his maleware.
>>
>
> His own malware? With his own certificate? How dumb can he be?
>
>
>  Software signing isn't usable for regular end users, experienced
>> users already have hashes to establish integrity up to a certain
>> level, guru's and security professionals compile from source instead
>> of trusting some binary. And yes that does exclude hidden-source
>> software, it's the only sensible thing to do if you don't want trust
>> but real security!
>>
>
> A scandal broke just the other day when http://download.cnet.com/ was
> found to be trojaning downloaded executables in their custom "download
> manger" wrapper. Just to be helpful, this wrapper would change your home
> page to Microsoft, change your search engine to Bing, and install a browser
> toolbar that did lord knows what other helpful stuff if you were dumb
> enough to click the "Yes please install the helpful thing I downloaded"
> button. After the find their PC filled with crapware, users likely
> attribute it to the poor unsuspecting developer of the legitimate
> application they'd intended to download.
>
> Even the simplest code signing mechanism at least prevent application
> installers from being corrupted by commercial distribution channels like
> that. But only IF enough users were given a security justification for
> insisting on a valid signature on the installers that CNET would recognize
> that that kind of sleazy practice it would harm their brand.
>
>  http://download.cnet.com/8301-**2007_4-57338809-12/a-note-**
>> from-sean-regarding-the-**download.com-installer/<http://download.cnet.com/8301-2007_4-57338809-12/a-note-from-sean-regarding-the-download.com-installer/>
>>
>
> MS Windows 8 is said to be introducing an app store distribution channel.
>
> - Marsh
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20111208/f5020348/attachment.html>


More information about the cryptography mailing list