On Fri, 23 Mar 2001, Bob Bell wrote:
>> Just for those of you who have not seen the bulletin, there is yet another
>> reason to look towards Linux.
>
> My understanding is that this has nothing to do with Microsoft
> Windows.
The problem is a design flaw in Internet Explorer/Windows, specifically,
ActiveX.
When Microsoft discovered the Internet back in 1996, they saw it as an
obvious threat to their OS monopoly. Here was a system for making
interactive, multimedia content available to anyone with any computer -- not
just a Windows computer! Obviously, that had to be stopped.
So Microsoft developed ActiveX. ActiveX is Microsoft's client-side
programming solution, like Java applets are/were for Sun/Netscape.
Basically, an ActiveX "control" is a piece of dynamically linked code that can
be downloaded and run in the browser on demand. This code is native machine
code, that runs with the full privileges of whatever process is running the
browser. It is also a Windows-only technology (surprise!).
On a Windows 95/98/ME PC, that means that ActiveX is a way for a web page to
run arbitrary programs as "root" on your PC. On Unix, we have security
nightmares about that; Microsoft includes it as a feature.
Microsoft has come up with all sorts of stupid ideas to try and fix this.
It is kind of like trying to fix a leak in a boat made out of window
screening. They just don't seem to get that running arbitrary machine code
from the Internet with full privileges is BAD.
One of Microsoft's stupid ideas to fix ActiveX was to let ActiveX controls
(programs) be digital signed. Combined with a PKI, this lets you verify that
the control came from a certain party. In reality, that is not useful; it
just lets you know which programmer/vendor wrote the code that screwed you.
It fits Microsoft's line of thinking though: "All users should trust
Microsoft. Microsoft can do no wrong. Microsoft should be the only company
producing software. Let users verify that the software came from Microsoft,
thus protecting the user."
In this particular case, VeriSign (another winner when it comes to security
design </SARCASM>) screwed up and issued a certificate to Someone Not
Microsoft in the name of Microsoft. Now this Someone Not Microsoft can sign
ActiveX controls and make it appear as if they came from Microsoft.
You can solve this problem by turning on the feature of MSIE called "Check
for certificate revocation". That will cause MSIE to check every certificate
it gets to see if it has been revoked by the issuer. Naturally, this feature
is turned off by default for all versions of MSIE.
> This is not related to MS Windows.
Except that MSIE *is* MS Windows, or at least, so Microsoft tells us.
> The error here was made by VeriSign, not Microsoft ...
VeriSign screwed up by not checking when they issued a certificate, but I
think Microsoft has made enough bad design decisions to make them guilty, too.
> ... [VeriSign] was tricked into believing ...
You make it sound like it was difficult. From all reports, this was how it
went:
Criminal: Can I have a certificate in Microsoft's name?
VeriSign: Are you from Microsoft?
Criminal: Yup.
VeriSign: Are you lying?
Criminal: Nope.
VeriSign: Okay, here ya go. Next!
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
