On 19/02/13 02:33 AM, Jon Callas wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Feb 18, 2013, at 7:07 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
I've just done a quick tally of the certs posted to
http://www.ccssforum.org/malware-certificates.php, a.k.a. "Digital
Certificates Used by Malware". Looks like Verisign (and its sub-brand Thawte)
are the malware-authors' CA of choice, selling more certs used to sign malware
than all other CAs combined. GeoTrust comes second, and everything below that
is in the noise. GoDaddy, the most popular CA, barely rates. Other CAs
who've sold their certs to malware authors include ACNLB, Alpha SSL (which
isn't supposed to sell code-signing certificates at all as far as I can tell),
Certum, CyberTrust, DigiCert, GeoTrust, GlobalSign, GoDaddy, Thawte,
StarField, TrustCenter, VeriSign, and WoSign. Everyone's favourite whipping-
boy CAs CNNIC and TurkTrust don't feature at all.
Caveats: These are malware certs submitted by volunteers, so they're not a
comprehensive sample. The site tracks malware-signing certs and not criminal-
website certs, for which the stats could be quite different.
Interesting, but I have a raised eyebrow.
As Andy Steingruebl pointed out, there are a lot of malware certs that are
stolen, so this data needs to be normalized against market share. Similarly
relevant would be the CAs with significantly fewer certs there than market
share would indicate. My former employer, Entrust, has zero certs in that
database. What does that mean? Anything?
Why pick on the CAs at all? Frankly, the real problem with signed malware is
that the *platforms* have the policy that equates a signature with reputation.
That's the thing that to me is mind-bogglingly daft. It's the equivalent of the
TSA wanting a government issued ID, because as we all know, terrorists can't
get ID.
You, I, others can easily imagine solutions. We can even model them and
predict success. But the browsers won't shift. Why is this?
One word might capture it: CHANGE. The vendors are incapable of
changing their security model, and the CAs are terrified of changing
their revenue model. For quite different reasons, but it does seem that
they are united in their desire to avoid CHANGE. Indeed, if you look at
CABForum, two striking things come out.
Firstly, nothing changed. Comparing their output in documents to the
practices developed by VeriSign in the mid 1990s, the best thing you can
say is that CABForum documents have better documented that 1990 security
model. Secondly, and for this you need a bit of institutional business
knowledge [0], the structure of CABForum is (or was [1]) designed
perfectly to avoid CHANGE.
Time-wise, code-wise, architecturally speaking, product-mix,
structurally, everything about the sector is built to avoid CHANGE.
When we look at the 1990s, the issue OP raises is quite simple. That
wasn't envisaged in the 1990s.
If you separate signatures from reputation, then anti-malware scanners can
detect malware by a database of known malware signatures, and then infer
upwards from a piece of malware to a key owned by or suborned by a malware
author. They could conveniently kill malware by code signature or signing cert,
as appropriate. They could even go beyond malware to disable things like known
buggy or exploitable versions of software. I don't see why they aren't doing
that now. They don't even need the platform makers to play along.
An alliance of the platforms and the anti-malware people would make it
unnecessary to even have a CA-issued code signing cert.
That's the sort of CHANGE that causes all concerned to run away in fear,
huddle, and ensure that such suggestions never ever see the light of day.
Question then is, what to do about it? Peter has immense fun poking at
the holes. Some get good mileage out of studying and
reverse-engineering the business. I spent years trying to encourage one
vendor to change, something, anything. Others with integrity
participate in these 'forums' and get a frustration at the players,
which grows into loathing.
Because the sector is unified in its rejection of CHANGE, the only real
systemic solution is bypass. Here is what I would do. If I was a CA,
I'd sell out. The business is a bit of a cash cow. It is OK for now,
but its future is a bit dim.
If I was an outsider, I would simply not recommend the security model in
any seriousness. As a security consultant, I would rate CA-provided
certificates as "mostly harmless" and encourage my client to explore
other solutions. Security consultants cannot recommend against a 'best
practices' model without risking being labelled as a kook, but on the
other hand, integrity of the business is such that one cannot recommend
a solution knowing it to be facadal or dangerous, especially as there is
a non-trivial and rising risk that someone is going to be sued by a bank
over this, once a bad judgement comes down over some big phishing or
similar heist. So some safe skeptical message is needed. E.g., when
looking at code-signing for apps, ask the vendor how they secure the
system. Ignore the sigs entirely.
If I was a vendor, I'd be working in Javascript, HTML5, sandboxing,
social networking, and replacing the whole bloody lot with low-end,
medium-grade fast crypto tapping into the graph. Bypass. Something
will shake loose. E.g., do what google is doing, but I'd be more
impatient than those pussies :)
If I was an academic, I suppose I'd write papers on why the structure of
the sector mitigated against the security it was trying to deliver, and
pontificate on what would be better -- because there will be a next
time, and we don't want these mistakes repeated.
iang
[0] the structural / institutional aspects are widely taught in better
business schools and in economics. Unfortunately they are somewhat
deadly boring to our tech community, so eyes will mostly glaze over.
Sadly, IMHO, they provide the only sound or quasi-scientific explanation
for these questions.
[1] they have got the message that they must open up, and a splinter
group has apparently left and started a new forum. Quite why this is
can't be divined by outsiders (which is how they want it) but I'm sure
there is an interesting story there.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography