On 12/07/2011 07:01 PM, lodewijk andré de la porte wrote:
I figured it'd be effective to create a "security awareness group" figuring the most prominent (and only effective) way to show people security is a priority is by placing a simple marking, something like "this site isn't safe!"
I thought the international symbol for that was already agreed upon: goatse.cx On 12/07/2011 07:13 PM, lodewijk andré de la porte wrote:
I'm afraid signing software is multiple levels of bullocks. Imagine a user just clicking yes when something states "Unsigned software, do you really want to install?".
You're just thinking of a few code signing schemes that you have direct experience with.
Apple's iPhone app store code signing is far more effective for example.
Imagine someone working at either a software or a signing company. Imagine someone owning a little bitty software company that's perfectly legitimate and also uses the key to sign some of his maleware.
His own malware? With his own certificate? How dumb can he be?
Software signing isn't usable for regular end users, experienced users already have hashes to establish integrity up to a certain level, guru's and security professionals compile from source instead of trusting some binary. And yes that does exclude hidden-source software, it's the only sensible thing to do if you don't want trust but real security!
A scandal broke just the other day when http://download.cnet.com/ was found to be trojaning downloaded executables in their custom "download manger" wrapper. Just to be helpful, this wrapper would change your home page to Microsoft, change your search engine to Bing, and install a browser toolbar that did lord knows what other helpful stuff if you were dumb enough to click the "Yes please install the helpful thing I downloaded" button. After the find their PC filled with crapware, users likely attribute it to the poor unsuspecting developer of the legitimate application they'd intended to download.
Even the simplest code signing mechanism at least prevent application installers from being corrupted by commercial distribution channels like that. But only IF enough users were given a security justification for insisting on a valid signature on the installers that CNET would recognize that that kind of sleazy practice it would harm their brand.
http://download.cnet.com/8301-2007_4-57338809-12/a-note-from-sean-regarding-the-download.com-installer/
MS Windows 8 is said to be introducing an app store distribution channel. - Marsh _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography