Ok, true, but it's not marketed as that, and it's not positioned as that, and people believe this thing means that it's somehow safe.
>From Thawte's website: http://www.thawte.com/ssl-digital-certificates/code-signing/index.html?c lick=main-nav-products-codesigning # Gives your users recourse to the person who published it # Promotes the Internet as a secure and viable platform for content distribution # Inspires user confidence And for chrissakes, this thing has been around for MONTHS. We're only breaking it now. Alex -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 12, 2007 3:42 PM To: Paul Ferguson Cc: [email protected] Subject: Re: [funsec] Sunbelt: Gromozon Malware Digitally Signed by Thawte On Wed, 12 Sep 2007 19:00:45 -0000, Paul Ferguson said: > It's stuff like this that sometimes makes you just throw your hands in > the air. > > http://sunbeltblog.blogspot.com/2007/09/for-shame-thawte-trusts-gromoz > on.html Unfortunately, that's Working As Designed. Authentication vs Authorization. Thawte has certified that malware really *is* from Gromozon, and not from some even sleazier entity pretending to be Gromozon. That's all they *claim* to do with their certificates. Whether you should trust the signed contents, knowing they *are* from Gromozon, is way out of scope for a certificate. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
