Jean-Marc Desperrier <[EMAIL PROTECTED]> writes: >Peter Gutmann wrote: >[Revocation info] >> That's addressing entirely the wrong threat model.
>No. You just prove they are other threats to adress, and that if we >don't adress them, we don't even need to care about revocation. >> The problem with ActiveX >> controls isn't (apart from one or two proof-of-concept ones) someone creating >> a malicious signed control (or FF plugin, or whatever). The problem is the >> bad guys exploiting holes in controls created by others. Signed, unsigned, >> doesn't make any difference to the attacker. >No, signed/unsigned does make a difference and you prove it. >If you require signed Active X, attacker will stop using unsigned >ActiveX, and will look for another weak point to attack. The attackers never even bothered with getting around the signing. They either put up web pages telling users how to allow unsigned ActiveX (very, very common, you get step-by-step screenshots of any warning dialogs and detailed instructions on where to click to allow the control to run, you also see this in printed documentation for boxed software, "When you install our software the following warning will appear, click 'Ignore' and continue..."), or they exploit someone else's ActiveX control. Signed ActiveX has never had to be attacked, because there's no need to. So in terms of attack surface reduction, sure, go ahead and sign the things, but beyond that it's not worth devoting any resources to it. Peter. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
