Steven Bellovin <s...@cs.columbia.edu> writes: >When I look at this, though, little of the problem is inherent to PKI. >Rather, there are faulty communications paths.
"Oh no my Lord, I assure you that parts of it are excellent!" :-). >[...] how should the CA or Realtek know about the problem? [...] That was the whole point, that the whole system doesn't work, and it's the system as a whole that has to work, not just some parts of it. Here's another description, without the possibly confusing 't +/- x' stuff: Shortly after the malware appeared (or at least got noticed) it was added to anti-virus vendor databases and pushed out to users via updates. Some time later when it made headlines because of its use of the Realtek certificate, the CA that had issued it read about it in the news, contacted the certificate owner, and revoked it. However due to the dysfunctional nature of revocation handling, the certificate was still regarded as valid by Windows systems after it had been revoked, and of a range of machines running Windows 7, Vista, and XP, all with the latest updates and hotfixes applied and with automatic updates turned on, the first machine to notice the revocation and treat the signature as invalid didn't do so until a full week after the revocation had occurred, and some machines still regard the signature as valid even now (I've heard this before a number of times in software developer forums and mailing lists, plaintive complaints from users to the effect that "I know this certificate is revoked, but no matter what I do I can't get the software to stop using it!"). So while PKI and code-signing promise the user a fairly deterministic series of events in which A occurs, the B occurs, then C occurs, and then the user is safe, what actually happens in practice is that A occurs, then a comedy of errors ensues [0], and then the user is still unsafe while possibly being under the mistaken impression that they're actually safe. [0] I've never understood why this is a comedy of errors, it seems more like a tragedy of errors to me. A real-world demonstration of the relative effectiveness of various protection mechanisms occurred when I wanted to evaluate the ability of code-signing to protect users. A researcher sent me a copy of the signed malware (thanks!), and because of its nature encrypted it with AES using the RAR archiver. Because RAR (and indeed most other archivers) don't protect file metadata, the message was blocked by email scanners that identified the overall contents from the metadata even though the file contents themselves were encrypted. After some discussion with the IT people ("yes, I am certain what the file is, it's a rather nasty piece of Windows malware, and I trust the sender to have sent me malware") they forwarded the email to the PowerPC Linux machine on which I read email, and which is rather unlikely to be affected by x86 Windows malware. Unfortunately I never could check it on the Windows system that I wanted to test it on because the instant it appeared on there the resident malware protection activated and deleted it again, despite various attempts to bypass the protection. Eventually I got it onto a specially-configured Windows system, which reported that both the signature and its accompanying certificate were valid (this is now two weeks after the CA had declared the certificate revoked). So it actually proved quite difficult to see just how ineffective PKI and code-signing actually was in protecting users from malware because the real protection mechanisms were so effective at doing their job. (It's also rather an eye-opener about the effectiveness, at least in some cases, of malware-protection software, no matter what I did I couldn't get the malware files onto a Windows PC in order to have the code-signing declare them valid and, by implication, perfectly safe). >What's interesting here is the claim that AV companies could respond much >faster. I'd say it's more than just a claim, the malware was first detected around 1 1/2 months ago and added to AV vendor databases, a full month later the certificate was declared revoked by the CA, and currently the majority of Windows systems still regard the signature as valid (I've had a report from someone else of one machine that records it as revoked, so at least one machine has been belatedly protected by the code signing, assuming the user doesn't just click past the warning as pretty much all of them will). So yes, I'd say the AV companies respond a helluva lot faster, and a helluva lot more effectively. The bigger lesson, for people who ever believed this to be the case, is "don't rely on code signing to protect you from malware". Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com