Peter Gutmann wrote: [Revocation info]
That's addressing entirely the wrong threat model.
No. You just prove they are other threats to adress, and that if we don't adress them, we don't even need to care about revocation.
The problem with ActiveX
controls isn't (apart from one or two proof-of-concept ones) someone creating
a malicious signed control (or FF plugin, or whatever). The problem is the
bad guys exploiting holes in controls created by others. Signed, unsigned,
doesn't make any difference to the attacker.
No, signed/unsigned does make a difference and you prove it.
If you require signed Active X, attacker will stop using unsigned ActiveX, and will look for another weak point to attack.
I thought the weak point would be the registration, getting a certificate despite you are not the one you pretend, and if that suceed, we'd better have an effective revocation mechanism.
I don't believe we have any chance at a perfect registration mechanism, so we should not even try to get without effective revocation.
What you show is that in fact the weak point they attack is not the registration, but weaknesses in legitimately signed extensions, because that's even easier.
But does it show requiring signature didn't work ?
No, if we do not start by requiring signature, they won't even be doing that effort of searching for vulnerabilities in legitimatly signed components.
It's because the signature worked that they began doing that, and that other problems must be solved.
Also vulnerabilities in reputable components are a weak point that must be solved whether or not we require signatures on components.
And if it is solved, they will attack registration. And if we solve the registration problem, they will find something else. It's not a game where we can stop and say "we have won". But if we stop and do nothing, they have won. And the whole thinking about registration/revocation allows to be one step ahead and not behind, for once.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
