Date: 5 Mar 1997 14:00:45 GMT From: fjh@mundook.cs.mu.OZ.AU (Fergus Henderson) Subject: Re: Comments and corrections on Authenticode (Atkinson, RISKS-18.85) >First, a correction. Microsoft does not have any 'certification procedures' >with respect to the integrity or lack thereof of third party applications >against security attacks. That is precisely Theodore Y. Ts'o's point: Microsoft does not have any certification procedures that could prevent such attacks. As a result, there are significant risks associated with the use of Microsoft's Active X technology. >Software developers, as they always have been, have the responsibility of >themselves exercising appropriate diligence in this regard. True, but because third parties can provide potentially hostile input to Active X controls -- at least for those classified as "safe for initialization" -- the "appropriate diligence" for such an active X control is much greater than that required for an ordinary application. The "appropriate diligence" required is similar to the diligence required for a Unix setuid executable. And past experience suggests that this high level of diligence is often lacking: setuid programs are very often the cause of security holes. >Users want and demand a rich computing experience. Yes, but users also "want and demand" to be able to log into systems without having to type in any silly passwords... it is our job as computer professionals to educate users about the risks involved and wherever possible to protect them from such risks. >We have decades if not centuries of experience with this model of conduct >between supplier and customer. It seems to work pretty darn well. Yes. One of the reasons it works so well is that there is a reasonably hefty financial hurdle that you need to overcome in order to distribute software using traditional distribution channels. However the Internet promises to change that. The Internet is a very low entry-cost distribution mechanism, and while that is a very desirable property, it is not without its associated risks. Lowering the entry cost increases the chance of abuse. Furthermore, automating the process increases the chance that abuse may go unnoticed. So even if Active X were to faithfully imitate traditional distribution channels in every other way, the risk may well be much higher. That is why I think we need to move to technologies that offer better security that either Active X or traditional distribution channels. Java applets are one such technology. >2. The code could be signed, and then downloaded by IE3, and accepted by the >user. That is, the crooks can if they like leave their clear, unsmudged >fingerprints all over their illegal device. This makes catching and >convicting the responsible party somewhat easier. A thief would of course be foolish to leave their own fingerprints on an illegal device. It would be much more sensible for them to sign with a stolen key. Now of course it may well be difficult for thieves to steal Microsoft's key, but all it takes is _one_ careless vendor who doesn't guard their key well... Fergus Henderson WWW: