On Dec 9, 2011, at 3:46 18PM, Jon Callas wrote:
>
> On 8 Dec, 2011, at 8:27 PM, Peter Gutmann wrote:
>
>> In any case getting signing certs really isn't hard at all. I once managed
>> it
>> in under a minute (knowing which Google search term to enter to find caches
>> of
>> Zeus stolen keys helps :-). That's as an outsider, if you're working inside
>> the malware ecosystem you'd probably get them in bulk from whoever's dealing
>> in them (single botnets have been reported with thousands of stolen keys and
>> certs in their data stores, so it's not like the bad guys are going to run
>> out
>> of them in a hurry).
>>
>> Unlike credit cards and bank accounts and whatnot we don't have price
>> figures
>> for stolen certs, but I suspect it's not that much.
>
> If it were hard to get signing certs, then we as a community of developers
> would demonize the practice as having to get a license to code.
>
Peter is talking about stolen certs, which for most parts of the development
community aren't a prerequisite... But there's an interesting dilemma here
if we insist on all code being signed.
Assume that a code-signing cert costs {$,€,£,zorkmid}10000/year. Everyone but
large companies would scream. Now assume the cost is {$,€,£,zorkmid}.01/year
or even free. At that price, it's a nuisance factor, and would be issued via
a simple web interface. Simple web interfaces are scriptable (and we all know
the limits of captchas), which means that malware could include a "get a cert"
routine for the next, mutated generation of itself. In fact, they're largely
price-insensitive, since they'd be programmed with a stash of stolen credit
cards....
--Steve Bellovin, https://www.cs.columbia.edu/~smb
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
