Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Don't Trust Code Signed by 'Microsoft Corporation'

michael posted more than 13 years ago | from the verisign,-the-company-which-manages-the-root-name-servers dept.

Microsoft 270

omarius writes "From the Microsoft Security Bulletin: 'VeriSign, Inc., recently advised Microsoft that on January 30 and 31, 2001, it issued two VeriSign Class 3 code-signing digital certificates to an individual who fraudulently claimed to be a Microsoft employee. The common name assigned to both certificates is "Microsoft Corporation".' See the bulletin for more information. Brings a whole new meaning to the concept of 'Windows Update.' ;)" Most users probably ignore the name on a certificate presented to them anyway, but even that minimal protection is worthless if certificate authorities don't perform their job.

Sorry! There are no comments related to the filter you selected.

Verisign doesn't do what they say they will (1)

Anonymous Coward | more than 13 years ago | (#346345)

I work for a very large company (larger than Microsoft). Last year, I applied for a Class 3 certificate so that we could sign some of our executables (product updates) and ActiveX controls. Verisign asked for names and phone numbers of managers and executives, and said that it would take up to three days to issue the certificate. I had it in less than 8 hours, and nobody on my list was contacted. It didn't leave me with a really warm and fuzzy feeling about the process.

My manager thinks that this whole deal with paying $400/year for a certificate is just a scam, and now I'm inclined to agree with him!

Re:That's what CRL's are for (2)

Anonymous Coward | more than 13 years ago | (#346347)

It is because they haven't bothered to do this yet that this is possible - think about it - if CRLs were implemented, and every application that used Certs checked the Revocation list of the issuing CA, this problem would have a trivial solution - Revoke the Cert, and this "fraudulent" issued cert becomes useless.
No it doesn't. The problem with CRLs is that they don't work, they've never worked and they never will work. CRLs are like 1970s credit-card blacklists where each week the card issuers/banks would send out a blacklist of cards which merchants weren't supposed to accept. The lists were long and took too much work to check, by the time a new blacklist arrived the crooks had long since sucked the account dry, and if you wanted to prevent a card from being revoked you just made sure the blacklist never arrived. CRLs are even worse, although at the moment I don't really feel like typing up a 10-page technical bulletin on their various flaws.

A slightly better approach is OCSP (online cert status protocol), although that too has enough problems for at least two pages of writeup. The basic problem is that revocation doesn't work (once you've emitted a datum you can't retroactively take it back), which the credit card companies discovered about twenty years ago and which the X.509 designers may discover at some point in the future, although for now it's much more fun to fiddle with revocation protocols and mechanisms. Let's face it, as long as there are hordes of people willing to give you money for band-aids and pretend-fixes, why address the real problem?

chill, dude... (1)

Wakko Warner (324) | more than 13 years ago | (#346349)

It was just a joke. I've been hopped up on italian ice all day.

- A.P.

--
* CmdrTaco is an idiot.

hm... (3)

Wakko Warner (324) | more than 13 years ago | (#346350)

maybe the next "service update" will magically "install debian" on some "lusers' PCs"?

In a perfect world, anyway...

- A.P.

--
* CmdrTaco is an idiot.

Re:Wondering... (2)

phil reed (626) | more than 13 years ago | (#346351)

When you get the "Always trust..." message, it applies to a particular certificate. These are new certificates, so you'll get the message again. The danger is in all the people that will see that the bogus certificate is from "Microsoft Corporation" and click "Accept".


...phil

Re:Some comments here... (2)

phil reed (626) | more than 13 years ago | (#346352)

At the present time, what is distinguishing the two in question from the 'real' MS certificates?

The dates. Microsoft says that they received no legit certificates on the dates in question (Jan 29 and 30, 2001). If you check the date of the certificates and it says "Microsoft Corporation" on those dates, it's bogus.

And how many people are going to look at the dates?

If it's possible for MS to revoke those two, why can't the crackers revoke the real ones?

Microsoft didn't revoke them, Verisign did. The problem is that essentially nobody looks at the Revocation List.


...phil

VeriFucked (2)

jafac (1449) | more than 13 years ago | (#346356)

What was that someone said about security thru obscurity? No matter how good your code is, you're still vulnerable at the hardware level, and thru social engineering.

This Shows that (3)

jjr (6873) | more than 13 years ago | (#346369)

We can not only have one company to handle Digital Signatures. The internet community should create a non profit company to help with this problem. I am assuming that Microsoft is not the only company that this has happened to.

Re:Always trust content from Microsoft Corporation (1)

waldoj (8229) | more than 13 years ago | (#346372)

I get a good laugh everytime I see that dialog box.

"Always trust content from Microsoft Corporation?"

*giggle*

-Waldo

Re:Bigger problem (1)

ch-chuck (9622) | more than 13 years ago | (#346377)

Here's the Verisign Certification Practice Statement [verisign.com] - from what little I read the person who fraudulently claimed to represent Msft might be in some serious trouble.

Somebody send us up the update? (1)

Cool Hand Luke (16056) | more than 13 years ago | (#346390)

Let's see...

The FAQ on the Microsoft page claims this isn't a security vulnerability 1 [slashdot.org] because it was a third party's fault (namely, VeriSign).

Okay, Microsoft can rightfully claim they didn't directly fuck up...

...but, looking over their definition of "security vulnerability" makes me pause

  1. Since VeriSign's security software failed (in this case, through social hacking), because Microsoft software doesn't handle cases where VeriSign fails without patches, isn't this a design flaw, thus a security vulnerablity? (The "flaw" being heavily relying on third-party software to do the right thing in a critical task, like security... yes, I realize this is a nick-pick.)
  2. If the whole propose of software, like "Windows Update" is to allow Microsoft to:
    • usurp privileges on the user's system (allow Microsoft to download and run new software and system patches)
    • regulate its operation (I hate having to reset to finish installations!)
    • compromise data on it (Who replaced all these .dlls on my drive?)
    • assume ungranted trust.(Who said we ever trusted Microsoft...*cough* *cough*?)
    isn't Windows Update a big old security flaw? (Assuming Microsoft is an "attacker" of user's systems.)
  3. Does Microsoft not assume it is an "attacker" when it downloads updates because...
    1. ...Users have to run "Windows Update" in the start menu?
    2. ...Microsoft would never run anything on user's machines that stole information about their machines, or caused their machines to crash frequently?
    3. ...All our Windows are now belong to them?

    Time to hit play and get back to work...

    1.A security vulnerability is a flaw in a product that makes it infeasible - even when using the product properly - to prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming ungranted trust.


George Lee

Re:That's what CRL's are for (1)

McAlister (20810) | more than 13 years ago | (#346394)

I agree, but CRL has been around longer, and the various standards groups are still trying to work out how OCSP works - AFAIK there are only a couple of working implementations, and none of them are available "In the wild"....

But you're right - OCSP is great for instantaneous checking, and that's where we're heading, but they're (Microsoft, Netscape, Verisign et al.)not even crawling, let alone running along the revocation checking path right now...

McAlister

That's what CRL's are for (5)

McAlister (20810) | more than 13 years ago | (#346395)

Ok...I hope this finally get's Microsoft and Verisign out of their complacent moods, and prompts them both to implement Certificate Revocation Lists capability that WORKS in all of thier offerings -

It is because they haven't bothered to do this yet that this is possible - think about it - if CRLs were implemented, and every application that used Certs checked the Revocation list of the issuing CA, this problem would have a trivial solution - Revoke the Cert, and this "fraudulent" issued cert becomes useless.

But since Microsoft, Netscape/AOL, and most other vendors of Certificate aware software haven't bothered until VERY recently to even think of the CRL, then this is now a rather large problem...
ame)

Anyways... I hope this causes them to go and actually implement RFC compliant CRL capabilities in all of their products - would make those of us who work with them VERY happy....

McAlister

Re:All PKI suffers from this (1)

seanmceligot (21501) | more than 13 years ago | (#346396)

No, Your analogy doesn't fit. I can revoke my pgp key, and I can change the locks on my door. They should have implemented this necessary feature before they needed it.

MicroSoft Should Be Listing...... (2)

matth (22742) | more than 13 years ago | (#346398)

I was looking on MicroSoft's website, and saw this:

Microsoft tested the following products to assess whether they are affected by this vulnerability. We will waive normal support guidelines to provide remediation for all operating systems that are still in widespread use, regardless of whether they are normally supported or not.

* Microsoft Windows 95

* Microsoft Windows 98

* Microsoft Windows Me

* Microsoft Windows NT 4.0

* Microsoft Windows 2000


Now, maybe I'm wrong here. But it seems to me that this problem affects other operating systems, not just windows. What about windows 3.11? While it is mostly phased out, it would affect anyone using it who happened apon a website that had these certificates on them. What about a linux or mac user? It certainly would also affect them if they came apon the website. Now, to my knowlden, MS doesn't make any linux software, so it doesn't do anything with ActiveX, but what about Macs? There are versions of Office for macs, wouldn't it affect them? Seems to me that someone was a bit cloud headed when they wrote this.

Re:Wondering... (3)

MindStalker (22827) | more than 13 years ago | (#346399)

Actually its only accepts code also signed by the identical certificate as this is a different certificate but the same name it would not automatically accept it based on a previous acceptance of "Microsoft"

how is the new? (1)

BlueLines (24753) | more than 13 years ago | (#346400)

Don't Trust Code Signed by 'Microsoft Corporation'

heh. i haven't trusted Microsoft code in the last 4 years.

but thanks for the heads up.

--

...and this is news how? (1)

ConceptJunkie (24823) | more than 13 years ago | (#346401)

I don't trust code from Microsoft when I am 100% sure it's theirs.

I'm a Microsoft user since the early 80's and any update is a crap shoot, that's what reinstalling the OS is for.

Does anyone remember DOS 3.0? DOS 4.0? NT 4.0 service pack 2? Just to name a couple that come to mind...

Despite my cynicism, I'm happy to use Microsoft products. I just understand and plan for the fact that at any time my system might go completely kablooey. Frequent code backups, burning anything useful onto CD ROM's and a bit of common sense have served me well.

?Microsoft Corporation? (2)

SEWilco (27983) | more than 13 years ago | (#346402)

Following the instructions in the warning, I'll beware of stuff from ?Microsoft Corporation?, as opposed to "Microsoft Corporation".

Don't Trust Code Signed by 'Microsoft Corporation' (1)

Rupert (28001) | more than 13 years ago | (#346404)

Is this news?

--

It's still VeriSign's fault then (2)

gburgyan (28359) | more than 13 years ago | (#346405)

From the article that's linked:
VeriSign has revoked the certificates, and they are listed in VeriSign's current Certificate Revocation List (CRL). However, because VeriSign's code-signing certificates do not specify a CRL Distribution Point (CDP), it is not possible for any browser's CRL-checking mechanism to download the VeriSign CRL and use it. Microsoft is developing an update that rectifies this problem. The update package includes a CRL containing the two certificates, and an installable revocation handler that consults the CRL on the local machine, rather than attempting to use the CDP mechanism.

It seems that VeriSign really dropped the ball here by first not properly verifying the submitter, then by not providing a way of getting a revokation out in the case they made a mistake. This is just poor planning overall.

Not that I'm surprised, they also own Network Solutions [netsol.com] ... birds of a feather.

CA's in general (3)

DJGreg (28663) | more than 13 years ago | (#346406)

This goes great with this [slashdot.org] article from a couple of days ago.

I used to think that the whole idea of paying a shitload of money to goons like Verisign was that you could trust the certificates issued by them. If they make mistakes like this, how can I trust them anymore? Furthermore, how can I trust the certificate any ecommerce site that uses their certificates?

This is a huge problem for all CA's if this is a precedent. I'm really curious to see what, if anything, Verisign will do about this.

Re:That's what CRL's are for (2)

MarcoAtWork (28889) | more than 13 years ago | (#346407)

Forget CRLs, they should just create some nice OCSP responders, so everybody can be *really* sure that the certificate they are being presented is still valid.

OCSP = online status checking protocol

This means that instead of checking your cert against a huge CRL (that you have to download every day) you just query the appropriate OCSP responder for that issuer, and you do a realtime query.

The dialog should be of the type:

software xyz presented certificate abc: what do you want me to do?

accept cert refuse cert check cert cancel

where 'check cert' does a query. Problem with this approach is that they have to beef up their hardware to handle all these requests, but if you don't care if the cert is valid at all, why even bother with certs in the first place.

Re:Always trust content from Microsoft Corporation (2)

TheDullBlade (28998) | more than 13 years ago | (#346408)

Sure, just install Service Pack 7, followed by Service Pack 3, Service Pack 6, then Service Pack 7 again. Now, delete everything in your Windows directory, and your "My Documents" directory, and the auto-restore will change your state so that it asks who to trust again.

This post is Verisign certified Microsoft content. Trust us, it will work. Really.
---

CRLs are not the long-term answer (2)

jcorgan (30025) | more than 13 years ago | (#346410)

&nbsp

CRLs are the nuclear waste of the PKI industry.

They never go away, they keep getting larger, and eventually, there will be no place to keep them :-)

All PKI suffers from this (5)

Shotgun (30919) | more than 13 years ago | (#346411)

The problem with any encryption system, neigh any protection system at all, is the point at which they break.

They super heavy deadbolts on my front door are useless if I pass out they key. The electronic security system is just a bunch of lights and buzzers if I give out the passcode or everyone ignores it. The extra heavy combination lock is just dead weight if the hinges of the safe are on the outside of the door.

Public Key cryptography is only as strong as the security on the key. The article says that this doesn't fit the strict definition of a security vulnerability, presumably because it doesn't break the software. Well, I'd like to disagree. Part of the product, part of what M$ sells with the promotion of signed inActiveX controls, is that the pieces of code are trusted. This is not a piece of software they are selling, it's an entire system. The software is only part of it. The system has been broken. This makes it a security vulnerability in the same way that giving out keys to my front door and the combination to my safe are security vulnerabilities.

The gist of my rant, and the point I'm trying to convey, is that systems are more than just the software. To concentrate only on one part of the system when defining terms to describe the safety of the whole system is foolish.

I hope they make getting a certificate harder. (1)

Fapestniegd (34586) | more than 13 years ago | (#346412)

Now I'll have to show up at their main office with my boss, and legal team.

Bigger problem (3)

Stavr0 (35032) | more than 13 years ago | (#346414)

Don't trust certificates issued by VeriSign

I dunno, but it seems to me that they have the bigger problem. We put our trust in VeriSign to properly identify people requesting certificates. That trust has been broken now.
---

Re:Always trust content from Microsoft Corporation (3)

macpeep (36699) | more than 13 years ago | (#346416)

It's not a problem. The "always trust content from ...." is not on a name basis but on a certificate basis. These phoney (or any other) certificates won't automatically be accepted.

Trust relationships with cryptography (5)

Greg@RageNet (39860) | more than 13 years ago | (#346419)

Guess the problem here is that it should have always been up to the end user as to which certificate signing authorities to trust, rather than for software manufacturers to decide for us. At least browsers are getting better, before if they saw a certificate that the browser didn't trust it would reject it outright.

But nowadays if a company becomes untrustworthy through malicious intent or just plain incompetence it's not possible for users to 'un-trust' a certificate authority trusted by the browser/software manufacturers.

There should be a higher degree of control at the end-user as to which CA's are trusted.

-- Greg

Wondering... (2)

metacosm (45796) | more than 13 years ago | (#346420)

I was just wondering -- when one of those VeriSign things pop-up, you have an options to check "Always Trust Xyz Corp". If users have already done this - will this setting apply to ALL certs from Xyz Corp, or just Certs dated before the current date? I am wondering if that prompt is authorizing all certs from a company - or a subset ( by date or by class, etc)? Anyone know?

Re:This Isn't Really A Microsoft Story. (2)

Enoch Root (57473) | more than 13 years ago | (#346434)

Funny how this story would probably be rejected if 'Microsoft' didn't figure in it somewhere...

Signed... or published, for that matter. (1)

SnakeStu (60546) | more than 13 years ago | (#346435)

Don't get me wrong. I always put complete trust in Microsoft, and VeriSign for that matter. Always.

Sure I do.

Re:Bigger problem (3)

CmdrPinkTaco (63423) | more than 13 years ago | (#346437)

The only truly effective answer to the question "who watches the watchers" must be "the public themselves".

pardon my ignorance but is there an "open / free" (im using the terms loosely and not interchangebly) CA out there? I know that there was an Ask Slashdot about why SSL Certs are so expensive (here [slashdot.org] for the curious). I agree with the position that certs are issued typically for piece of mind, but would it be practical to implement an open standard of secure communication specifically for browser / server communications or is SSH adequate for this? Obviously Im not a security expert, but I am a concerned person who would rather place their trust in an open standard than in a hidden company that requires "blind faith"
--------
"Counting in octal is just likst counting in decimal--if you don't use your thumbs."

The system needs reform (5)

The-Pheon (65392) | more than 13 years ago | (#346438)

Don't trust certificates issued by VeriSign?

Then who will you trust?

With the amount of money verisign requires you to pay for their various types of certificates, you would think that they could take the proper steps to ensure that the application is valid? A phonecall to the posted number for the company perhaps?

Running a script to generate a key does not cost hundreds of dollars, we are paying for the extra for the cost of validation. I expect Verisign to DO that validating!

Why don't microsoft sign their own ? (2)

MythMoth (73648) | more than 13 years ago | (#346449)

Given Microsoft's unique position in the browser marketplace, why do they not run their own certificate servers and include themselves as one of the default certificate authorities ?

It's not as if they show much concern about breaking compatibility with other browsers (even earlier versions of their own) so what's going on ?

Always trust content from Microsoft Corporation (2)

jesser (77961) | more than 13 years ago | (#346454)

A while ago I checked a checkbox labelled "Always trust content from Microsoft Corporation". Is it possible to undo that?

No big surprise (2)

klmartin (80562) | more than 13 years ago | (#346458)

Ever read the warranty that comes with anything from Verisign? They won't even warrant that their certificates actually represent the individuals or organization that they claim they represent.

Typical slashdot sensationalism (1)

GusherJizmac (80976) | more than 13 years ago | (#346459)

I'm getting really tired of slashdot posting over-inflammatory headlines. I mean, come on! If the headline was:

Don't Trust Content From "Microsoft Corporation"

(note the quotes), that would be one thing, but this is just misleading and bad journalism. Come on guys!

I am a complete idiot (1)

GusherJizmac (80976) | more than 13 years ago | (#346460)

Well, they did, and I apologize for my comments. I did just what I was accusing slashdot of. I am an idiot. What a waste of an 8th post......

Re:Bigger problem (1)

deefer (82630) | more than 13 years ago | (#346461)

So who kicks VeriSign's butt? Who will make an inquiry into how this happened, and what steps are to be put in place to prevent a repeat performance?

Strong data typing is for those with weak minds.

Re:Trust relationships with cryptography (2)

kevin@ank.com (87560) | more than 13 years ago | (#346462)

I don't know about IE, but Netscape most certainly does allow the user direct control over what root CA's he or she trusts. The default is set up for you to trust all of the normal ones, but go to:

  • Communicator
  • Tools
  • Security Info
  • Select 'Signers'
  • Click the certificate in question
  • Click 'Edit'
  • Change your trust buttons

That is all there is to it...

Hey, I know how to solve this! (3)

nublord (88026) | more than 13 years ago | (#346464)

Guess we need another layer of certificates to verify VeriSign, Inc.

Yes, I'm joking.

Re:Wondering... (1)

donutello (88309) | more than 13 years ago | (#346465)

Err.. no. Verisign is simply the authority that issues and authenticates certificates. At least on Windows, when you get the option "Always trust blah blah" you're not saying "Trust all certificates issued BY blah blah" but rather "Trust all certificiates issued TO blah blah as long as you trust the person issuing the certificate". Trusting Verisign to issue certificates is implicit in the verification code.

This is serious, but not as serious as it could be (3)

Judg3 (88435) | more than 13 years ago | (#346467)

(From the NTBUGTRAQ) Despite the fact that its a Microsoft Certificate (for all intents and purposes it appears as such), it WILL NOT automatically be trusted by anyone's system. Even if you have previously stated that you want to trust all signed software from Microsoft, the fact that this one is a *different* Microsoft Certificate means you will still be prompted to trust it.
So it's still a big deal, but if you keep that little bit of knowledge in hand, you wont have to worry (to much)

----------------------------------

You don't have to. (1)

Len (89493) | more than 13 years ago | (#346470)

According to the bulletin,
Trust is defined on a certificate-by-certificate basis, rather than on the basis of the common name. As a result, a warning dialogue would be displayed before any of the signed content could be executed, even if the user had previously agreed to trust other certificates with the common name "Microsoft Corporation".
It seems more appropriate to remove VeriSign from the list of trusted CA's, but of course that would invalidate most of the certificates on the net.
--

Re:What about a slightly different name? (1)

erlenic (95003) | more than 13 years ago | (#346475)

The way I understand it, trademarks only apply in the same industry. I heard somewhere that there is a toilet bowl cleaner or something like that called Linux, and it's totally legal because they are different industries. That's why the original poster talked about making a window cleaning company. Although Microsoft could afford lawyers good enough to use the intent to deceive idea.

So... (2)

pongo000 (97357) | more than 13 years ago | (#346477)

The upshot is this: even though the two bogus certificates say they are Microsoft certificates, they are not trusted by default. You are guaranteed to see the warning dialogue the first time you encounter a program signed using either of these certificates, and will continue to see it unless you select "Always trust content from Microsoft Corporation" in response to the warning dialogue.

So does Microsoft seriously believe that the public, the same audience to which Microsoft caters as the "lowest common denominator" when developing such novelties as the talking paperclip, will suddenly divine an understanding of public key cryptography and the meaning behind these certificates? I think this might be the death knell for Microsoft as far as the ideas of "trust" and "security" are concerned.

Good riddance.

Re:VeriFucked (1)

Tom7 (102298) | more than 13 years ago | (#346479)

Uh.. what does this have to do with security through obscurity? AFAIK, the certification protocols are based on well-published algorithms.

"Security through Obscurity" is a nice-sounding catch phrase, but it doesn't apply to every discussion about security. It seems like someone always mentions it on slashdot, though....

(Nonetheless, you're right about the social engineering thing!)

Re:What about a slightly different name? (1)

Tom7 (102298) | more than 13 years ago | (#346480)


Sure, if your name is "confusingly similar" to Microsoft's, then they could probably bust you for trademark infringement. VeriSign could deny you a certificate for whatever reason they like, I suppose, but this would be a legitimate one.

Re:Had to happen eventually. (3)

Tom7 (102298) | more than 13 years ago | (#346482)

That may sound like a bold statement, but if you think about it for a moment, can you ever trust an automated software update again, even a "secure" one?

Yeah, maybe. Research is currently being done on how to do this without the idea of a trusted party. The general idea is that the code comes with a proof of its safety (or a proof that it meets some other specification), which is "easily" verified by a small piece of software on your computer. It's not a panacea (there is a world of difficulty in specifying the right policies), but it could certainly stop updates of application-level (or especially applet-level) software from containing naughtiness.

Check out http://www.cs.cmu.edu/~petel/papers/pcc/pcc.html [cmu.edu] for more info on Proof Carrying Code.

Re:Wondering... (2)

BradleyUffner (103496) | more than 13 years ago | (#346483)

All that checking that box does is to make the "accept" button the default instead of the "deny" button. it took me a few times to figure out what it was doing.
=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\=\ =\=\=\=\

Re:Some comments here... (1)

Trepalium (109107) | more than 13 years ago | (#346487)

Well, Microsoft Authenticode was supposed to remedy the danger of running code from an unknown author. Now with the false granted certificates, it suddenly becomes far more difficult to determine who authored the product. Although with all fairness, Authenticode was a disaster, with very few vendors bothering to sign their own products with the possible exception of ActiveX control vendors.

The real question is will Microsoft patch it by including proper certificate revokation lists, or will they just patch it by disallowing those two certificates.

Re:What about a slightly different name? (1)

Wizard of OS (111213) | more than 13 years ago | (#346488)

But there are like 20/30 CA's in my browsers list, some of them with very obscure names. Will they all refuse it?

--

What about a slightly different name? (4)

Wizard of OS (111213) | more than 13 years ago | (#346489)

What if i would own (I don't by the way ;-) the domain www.microsoff.nl. I register my company 'Microsoff' here in the netherlands, and claim I do window-cleaning (as long as the type of commerce you do is different, you can register a name here).

It should be possible for me to get a Verisign certificate for 'the Microsoff corporation'. Most users won't notice this, so I can trick people into running my code.

Is there anything that can be done against this? Has Microsoft trademarked all 'Microsoft'-alike names? Can Verisign refuse to give out a certificate?

--

Re:This Isn't Really A Microsoft Story. (1)

realdpk (116490) | more than 13 years ago | (#346493)

This is a Microsoft story. It's both a commentary on VeriSign's sad security, and a warning to those who have trusted Microsoft's certificates in the past to be aware of the fact that they may be bogus.

s/Code Signed by// (1)

SpanishInquisition (127269) | more than 13 years ago | (#346497)

can you handle the truth?

--

Re:Usually pretty obvious (2)

stilwebm (129567) | more than 13 years ago | (#346498)

This is all fine and dandy, assuming that you can personally be sure that all of the physical and transport layer connections between you and that host name, as well as the system which resolved the hostname are completely secure and trusted. Otherwise someone could see that you are downloading packets from host X and poof as host X, sending you packets that you now trust based on the host name only. After all, Microsoft has forgotten to renew a domain once before, who's to say they won't do it again? Only this time it might not be a white hat that fixes the problem.

This Isn't Really A Microsoft Story. (4)

istartedi (132515) | more than 13 years ago | (#346502)

This is a security story. The lock logo would have been more appropriate. Oh, wait... every time MS is mentioned on /. you get a spike in ad revenue. Carry on.

Where are the CRLs? (1)

Stupid Dog (133756) | more than 13 years ago | (#346503)

I am desperately making my way through the Verisign website, but I cannot find the CRLs. Where are they?

Thanks for the help,
Andreas Buschka

Re:Where are the CRLs? (1)

Stupid Dog (133756) | more than 13 years ago | (#346504)

Ok, got it:

http://crl.verisign.com

Now which one do I have to pull?

Re:what about those evil "Always Trust..." checkbo (1)

Pakaran2 (138209) | more than 13 years ago | (#346508)

As several others have posted, the trust is granted on a per-certificate basis. You're trusting code signed with that certificate. Mind you, that doesn't prevent people automatically agreeing again when they see the Microsoft name on the certificate...

Re:Some comments here... (1)

Pakaran2 (138209) | more than 13 years ago | (#346509)

The real question is will Microsoft patch it by including proper certificate revokation lists, or will they just patch it by disallowing those two certificates.
At the present time, what is distinguishing the two in question from the 'real' MS certificates? I don't see that much. If it's possible for MS to revoke those two, why can't the crackers revoke the real ones?

Some comments here... (5)

Pakaran2 (138209) | more than 13 years ago | (#346512)

Who should read this bulletin: All customers using Microsoft® products.

Impact of vulnerability: Attacker could digitally sign code using the name "Microsoft Corporation".

Recommendation: All customers should follow the administrative procedures detailed in the FAQ. A software update will be issued shortly to provide permanent remediation.

I find it very fascinating that MS doesn't mention anything about the hazards of running code from an unknown author.

I would also hope that Verisign is taking a very serious look at their procedures - if CAs don't verify identities before issuing certificates, what good are they?

For that matter, how were individuals - MS employees or not - given keys in the company's name? There's no need for an individual employee to have those - especially before calling to check with executives within the company.

Re:Bigger problem (1)

richardbowers (143034) | more than 13 years ago | (#346515)

Bzzt! That trust should never have been there in the first place. The only thing you should be trusting Verisign for is that they should produce only one certificate for each domain name. The corporate name in the certificate should never be a matter of trust, since it implies that only one company or individual will ever have the same name.

This may not be clear in the case of Microsoft - there's only one, right? But think about something a little less clear. For example, there are a number of companies that do business as AMS - there's American Management Systems [amsinc.com] and AMS.Net [ams.net] to name two. They are completely unrelated, but either one could justifiably order up a certificate from Verisign with a corporate name of AMS. When the little window comes up to ask you if you trust them, just going by the name won't help you in the least, and that isn't Verisign's fault.

Even with Microsoft, there's nothing that guarantees that another company can't use that name. If they are commercial and operate in the US, they'd be sued into oblivion, but that doesn't mean they couldn't legally incorporate under that name. You could open Microsoft.org, for example, a non-profit that doesn't compete with Microsoft or use their mark for commercial purpose, and I don't think they could do much to you.

All of the preceeding is just to say that trusting the corporate name is bunk. Verisign does not and cannot guarantee that the corporate name portion of a cert will equate to the company you think it does, even if they could guarantee that it was accurate.

Re:So how is this Microsoft's fault? (1)

richardbowers (143034) | more than 13 years ago | (#346516)

Well, are they the ones who thought it was smart to have the "Do you trust this company?" screen emphasize the name of the company?

Nice Visibility (1)

Lizard_King (149713) | more than 13 years ago | (#346520)

Who should read this bulletin: All customers using Microsoft® products.

I'm sure all Microsoft customers will know to navigate to /technet/security/bulletin/MS01-017.asp

Re:I am a complete idiot (1)

neema (170845) | more than 13 years ago | (#346524)

haha, i was going to point out that you were an idiot but you did it yourself.

Re:What about a slightly different name? (2)

Ian Wolf (171633) | more than 13 years ago | (#346525)

I'm totally unsure, but I think they can sue you for violating their trademark because it is so similar as to be misleading. They might even have an easier time if they demonstrate that your intention is to deceive. However, like I said, I'm not to certain about this.

Who cares? (1)

abrager (175240) | more than 13 years ago | (#346526)

From the msnbc article: 'The software giant is warning users to be suspicious of any program that arrives with a certificate claiming Microsoft's authority.' uhh i do that anyway.
---

Re:Uh.. (4)

Fervent (178271) | more than 13 years ago | (#346528)

The real question is, why is this story posted under Microsoft at all? Clearly Verisign made the mistake. And the title "Don't Trust Code Signed by 'Microsoft Corporation" doesn't exactly help the situation.

Guys, Microsoft is not nearly as evil as you think it is. Yes, they had a track history, and yes clearly Bill Gates is a dick, but there are a lot of cool OS and game programmers, and hardware specialists that put out some wicked shit. You have to separate the company from the nerds like you and me.

Hahaha! (5)

jonfromspace (179394) | more than 13 years ago | (#346531)

Hmmm... Verisign and Microsoft... now there's a team that just reaks of reliability!

Surprised? - Not really
Worried? - No more than yesterday
Still accepting certs without EVER reading them? - You Bet Your Sweet Ass!!!

It's not just an OS, It's an adventure!

Well, duh ... (2)

Wordsmith (183749) | more than 13 years ago | (#346533)

Do you really expect the average Slashdot reader to trust ANYTHING signed by Microsoft?

WTF? (5)

dR.fuZZo (187666) | more than 13 years ago | (#346534)

They make me send them multiple faxes and wait two weeks when I forgot my domain password, but some guy says he's from MS and that's good enough for them?

Barf. (5)

sulli (195030) | more than 13 years ago | (#346538)

From the MS announcement, why PKI sucks:

VeriSign has revoked the certificates, and they are listed in VeriSign's current Certificate Revocation List (CRL). However, because VeriSign's code-signing certificates do not specify a CRL Distribution Point (CDP), it is not possible for any browser's CRL-checking mechanism to download the VeriSign CRL and use it. Microsoft is developing an update that rectifies this problem. The update package includes a CRL containing the two certificates, and an installable revocation handler that consults the CRL on the local machine, rather than attempting to use the CDP mechanism.

Translation: This cert is bad, but the authority issuing it can't tell you this, even though the authority claims to be responsible for doing so. Microsoft and said authority didn't think of this, and so they now have to come up with a totally kludgey patch which they promise won't break anything else.

This is so fucking confusing even to someone who is fairly technical - can you imagine Joe User's reaction to this? Makes code signing pretty much useless.

Re:MicroSoft Should Be Listing...... (1)

donutz (195717) | more than 13 years ago | (#346539)

ha....he was asking for it eh?

. . .

Re:Wondering... (1)

humpmonkey (202226) | more than 13 years ago | (#346540)

Thanks, I've always wondered about that.
with humpy love,

Uh.. (5)

ExTycho (218077) | more than 13 years ago | (#346545)

We trusted MS Before?! Did i blink and miss something?

Getting you money's worth (3)

HyperbolicParabaloid (220184) | more than 13 years ago | (#346547)

This certainly adds a new dimension to recent /. discussions about what, exactly, you get when you pay for an expensive certificate!!


-------------------------

Here's a thought. (3)

canning (228134) | more than 13 years ago | (#346548)

A software update is under development and will be released shortly. When it is available, we will update this bulletin to provide information on how to obtain and use it.

What if the hacker(s) releases a patch before MS releases one?

It's pretty inevitable that sb'd say this... (1)

Gord.ca (236984) | more than 13 years ago | (#346553)

...but doesn't almost everyone on Slashdot not trust code signed by 'Microsfot Corporation' already??? ;-)

Re:Wondering... (2)

SlippyToad (240532) | more than 13 years ago | (#346556)

I always hesitated over checking that box, and now I'm glad of it. My essential mistrust of the system turned out to be intuitively correct. Though Verisign says its so, there's no real way for me to know that Verisign has done their homework. Which, they haven't.

Had to happen eventually. (4)

RareHeintz (244414) | more than 13 years ago | (#346564)

If this doesn't wake people up to the problems with the very idea of certification authorities, I don't know what will. Any public key infrastructure hinging on trust of a central authority like this is doomed to fail, and in exactly this spectacular manner.

That may sound like a bold statement, but if you think about it for a moment, can you ever trust an automated software update again, even a "secure" one?

OK,
- B
--

And this makes Hailstorm all better! (3)

Mercaptan (257186) | more than 13 years ago | (#346567)

I know it's Verisign's fault, but it really doesn't make the consumer side of .NET sound very trustworthy. I understand they're going to be using Kerebos for the Hailstorm identity back-end, but clearly there's plenty of room for Microsoft to botch. They're well positioned (and well funded) to actually go head with it, but the question is how much will people trust Microsoft? Even paired up with AmEx?

Trusted Authority? Damages? (1)

pixel_bc (265009) | more than 13 years ago | (#346585)

... my ass Verisign is a "trusted authority."

What steps can be taken to prevent this in the future? This is potentially a very dangerous precedent. Should Verisign be held accountable for any resulting damages that result from people being duped by this certificate?

Now thats an interesting question. Can we trust their certs from now on? I'll always be second guessing them now. (sigh)

Re:Wondering... (4)

dachshund (300733) | more than 13 years ago | (#346588)

when one of those VeriSign things pop-up, you have an options to check "Always Trust Xyz Corp"

That dialog refers to the organization that signed the certificate. Most browsers (at least, IE and Netscape) come equipped to trust any certificate signed by Verisign. When you go to a page with a Verisign cert, the browser will trust the certificate, regardless of what company actually owns it.

Since in this case the certs were purchased from Verisign, your browser won't have any problem at all with them (it'll just assume that Verisign is trustworthy.) You won't get that dialog at all. If you look at the security info for that page, it'll show the page as registered to Microsoft corporation. Generally MS signs their own certificates, so it would be a little odd to see a cert owned by MS and signed by Verisign (although they may actually do this.)

Re:Bigger problem (1)

cavemanf16 (303184) | more than 13 years ago | (#346590)

Since when has it been a good idea to explicitly trust anyone with utter confidence that they are infallible?

Certification Practice Statements (1)

euphline (308359) | more than 13 years ago | (#346593)

It is standard operating procedure at a CA to produce a "CPS" or Certification Practice Statement. This document discusses how the Certificate Policy is carried out. Specifically, it tells what the standard is for I&A (Identification and Authentication) of a business or individual before issuance of a given level of certificate.

Versign has such a statement [verisign.com] , which itemizes what they (in theory) do before issuing a cert.

-jbn

Re:What about a slightly different name? (1)

banuaba (308937) | more than 13 years ago | (#346594)

I'm sure that Verisign can do pretty much whatever they want. They're a private company in the US, AFAIK and can therefore refuse service to anyone who ticks them off...
Brant

Usually pretty obvious (3)

banuaba (308937) | more than 13 years ago | (#346595)

It's usually not hard to figure out if you're getting a MS product online.
The files tend to come from domains like, oh, say, microsoft.com or mechwarrior4.com...
Now, of course, if you are trying to download 'http://ftp.goatse.cx/hotgaypr0n.exe' and it's signed by MS you a) have other problems and b) deserve whatever you get if you accept the file.

Of course, this is probably not too good for Verisign, as they now look like dumbasses, and have probably pissed off MS to boot.


Brant

So how did a class 3 get out? (3)

Robert A. Heinlein (315073) | more than 13 years ago | (#346596)

Take a look at the requirements to get a Class 3 cert:

http://www.verisign.com/repository/CPS/CPSCH2.HTM# _toc361806948 [verisign.com]

http://www.verisign.com/products/asb/faq.html [verisign.com]

Especially interseting is the Assurance level that comes with this cert.

Even if these certiciates are never used, there will be some pretty heavy US govt. involvement as a result of this.

Anyone know if this has happened with any companies less visible than MS? A quick search did not turn anything up, but if Versign's procedures could let something like this slip through...

Re:This seems to imply. . . (1)

twbecker (315312) | more than 13 years ago | (#346597)

...but doesn't almost everyone on Slashdot not trust code signed by 'Microsfot Corporation' already??? ;-) Score 2, Funny

that most of us would otherwise trust code signed my Micro$haft. Score 0, Offtopic.

...And mine was first. Whatever.

"Always trust content from Microsoft Corp?" (1)

Corporate Drone (316880) | more than 13 years ago | (#346599)

When you download files with certificates, doesn't Windoze provide you with the option to allow acceptance of future files certified by the provider?

In other words, if a Windoze user has already said "yes" to "always accept software from Microsoft" then... yikes!

Just Microsoft? (1)

isa-kuruption (317695) | more than 13 years ago | (#346600)

This could have happened to anyone, any company, including GNU-based organizations that use SSL certificates to authenticate themselves. (like lots of people do with Certificates and vulnerability advisories?) Or maybe when you go to http://www.rehdat.com/ and purchase the new release =)

Funny (1)

Keslin (319658) | more than 13 years ago | (#346602)

Microsoft is one of the only companies that ever really bothers to sign their software modules anyway, so this kind of makes it glaringly obvious that the whole concept is broken. Most other companies don't bother to sign, and then they provide help on how to click past the Windows 'this driver is not signed' warnings.

-Keslin [keslin.com] , the naked nerd girl

Re:Typical slashdot sensationalism (1)

silent_poop (320948) | more than 13 years ago | (#346603)

Watch out...they'll moderate you down for it too.

--

Re:What about a slightly different name? (1)

Spamalamadingdong (323207) | more than 13 years ago | (#346606)

You'd still have prior claim to the name in that business, because you were using it there first.
--
spam spam spam spam spam spam
No one expects the Spammish Repetition!

Re:What about a slightly different name? (1)

SA3Steve (323565) | more than 13 years ago | (#346607)

It wouldn't work. It isn't legal to make a name close to another company's to confuse other people. For example, a few people had set up web pages where a few of the letters were reversed or similar stuff like that and somne of them got taken down through legal action.

I wonder... (1)

Some Wanker (398209) | more than 13 years ago | (#346611)

...if Verisign bears any liabillity for this. If people start doing this very much, it will undermine confidence in Verisign. I wonder how they are dealing with it.

what about those evil "Always Trust..." checkboxes (1)

CanuckGuy (398236) | more than 13 years ago | (#346612)

From the ActiveX download warnings. I mean, that's what could realy F$ck you up...

Aproximately 1/3rd of the IE/AOL users have probably already decided that "Yaaa, stuff from Microsoft should be alright.." and checked the box. Now anything from "Microsoft Corperation" gets installed sight unseen (inovation in action).

Bam.

say goodbye to your HD.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?