On 08/06/2012 18:02, Sid Stamm wrote:
binary-file reputation system based on a whitelist of binaries and domains, and identifies benign executables as windows users attempt to download them. Benign executables can bypass any "are you sure" UI, making it less annoying to users.
But also a lot more valuable for evil doers. I'm not at ease at all with the idea of considering "anything coming from the xxx domain" as safe. I'd feel OK with white-listing the hash of known safe binaries instead (and known safe app signers).
You list "Forcing application download sites to use https" as a non goal. IMO this is required to make domain name based white-listing acceptable. But actually I believe domain name based white-listing is intrinsically weak, because weaknesses that allow an attacker to upload his own file somewhere on the web server appear too frequently. And I believe many admin today check the integrity of files they know exist on the server, but quite less frequently check that no unexpected new one has appeared.
For app signers, we've seen like 4 different cases of an app signing certificate being stolen and used for virus propagation in the last 2 years. I think it would be best to require the owner of the certificate to store it on an hardware token, so that his private key can't be copied, if he wants to get in the white-list.
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
