Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

How VeriSign Could Stop Drive-By Downloads 229

emcron writes "Ben Edelman has been doing great forensic work looking at spyware, adware, and malware. His latest piece, How VeriSign Could Stop Drive-By Downloads, turns the harsh light of public scrutiny on VeriSign's grubby practices in issuing digital certificates to vendors who try to install spyware by tricking users into clicking 'yes' with low-down dirty lying dialog boxes. Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."
This discussion has been archived. No new comments can be posted.

How VeriSign Could Stop Drive-By Downloads

Comments Filter:
  • Meanwhile (Score:4, Insightful)

    by cynix.org ( 811368 ) * on Monday February 14, 2005 @04:51AM (#11665981)
    The beauty of certificates is, you decide who you trust. If you object to VeriSign's practice of issuing certificates to spyware/adware makers, simply don't choose to trust VeriSign's root certificate. This is only a temporary measure, I guess.
    • Re:Meanwhile (Score:5, Insightful)

      by insert_username_here ( 844281 ) on Monday February 14, 2005 @04:56AM (#11666000)

      So you expect an clueless computer user, who's just learning about this interweb, to understand the importance of trust when downloading software?

      Even ignoring people who've never used a computer before, a lot of people are, unfortunately, very trustworthy.

      Having partly software-verifiable certificates (i.e. signed by Verisign instead of self-signed) goes a long way to helping a browser tell a user whether or not they should be able to trust this mysterious "gator.exe" (of course, people will always find ways around it).

      • Even ignoring people who've never used a computer before, a lot of people are, unfortunately, very trustworthy
        Why is it unfortunate that lots of people are trustworthy?
      • by buro9 ( 633210 ) <david@buro9 . c om> on Monday February 14, 2005 @06:49AM (#11666294) Homepage
        ...is to trust everyone.

        They have to.

        Every site that they visit will have embedded Flash, embedded Java, embedded QuickTime, embedded Real, embedded midi (FFS!).

        They are taught on their first few days to trust everyone, and that nothing that they want to achieve can be done without trusting that the site is legit in asking you to download and install stuff.

        And when they speak to their geek friends (or friends of their kids), they get told dismissively and condescendingly that YES, they must install to see the site properly, to do what they want. You can bet that they won't ask a second time!

        Is it really a surprise then, that we have a problem later with dumb users downloading spyware, adware, and malware in general?

        The problem could be much alleviated by simply pre-installing all of the key technologies in advance.

        Some Linux distros do this... my mother knew from the first moment she used Simply Mepis that she didn't need to download anything else... I told her this, and because nearly all of her sites worked (just not pogo.com) she hasn't downloaded anything else.

        But you can't do this with Windows... because Windows gives you nothing, and certainly nothing from Apple, Real, Macromedia, Sun, etc... and then to compound it, Windows is an open playground for malware once downloaded.

        If Windows RME were permitted to be shipped with not just alternatives and pre-configured competitor offerings for media, but also with common plugins for the web... and... maybe even Firefox to give choice... then this would do more to prevent malware spreading than Verisign being forced to change their practices.

        Of course... hell would freeze over, pigs would fly, and the Bush would have an epiphany on social welfare before all of the above happened.
        • by TractorBarry ( 788340 ) on Monday February 14, 2005 @08:11AM (#11666582) Homepage
          > And when they speak to their geek friends (or
          > friends of their kids), they get told dismissively
          > and condescendingly that YES, they must install to > see the site properly, to do what they want. You
          > can bet that they won't ask a second time!

          Not this geek friend. I tell people not to trust anyone on the internet and to never download any crappy plugins as 90% of them will simply be used for serving up intrusive advertising. And if the site doesn't work without their plugins them go elsewhere.

          After I've removed the first load of spyware and repeated the advice they usually listen. If not they don't get a second visit from me. I just point them to the internet and say "You're not interested in my advice so you can fix things yourself".

          Sorry I've gone half tilt Amish on the idiots of the internet. If you can't get your message over to me using plain old HTML and static images you can stick your message up your arse.

          The internet is not digital TV.

          Personally I can't wait 'til someone invents some sort of uber bandwidth media-tastic bright & shiny "Hyper Net" (now with unbrakabul DRM (tm)). Then all the drongos can go and happily consume on it whilst leaving the rest of us with our "good old" internet.

          Plugins ? I spit on you all.
      • Re:Meanwhile (Score:3, Insightful)

        by Dolda2000 ( 759023 )
        What you seem to be missing is the fact that certificates are meant for authentication, not authorization. While it would most likely help if VeriSign wouldn't issue certificates to dubious software vendors, that would be as much abuse of the technology as the idea of setting "sex bits" on IP packets to indicate sexual content.

        Thus, authentication already works the way it should. This is not a case where I should say "don't fix what already works", but rather "don't break that which works". Instead, work

        • Re:Meanwhile (Score:5, Interesting)

          by NoMoreNicksLeft ( 516230 ) <john.oyler@comcas[ ]et ['t.n' in gap]> on Monday February 14, 2005 @08:19AM (#11666624) Journal
          I don't agree. This is partially an issue with business names themselves. If we were talking proper names, e.g. John Smith (the individual), a man who writes spammy spyware for a living, and the cert say his name is John Smith, then yes, it's authenticating him (and his software) as being the person he says he is.

          Unfortunately, a person can game this system by choosing any business name they like. "CLICK HERE TO INSTALL" is not a legitimate name, not even a legitimate business name... I seriously doubt it's a registered or incorporated business name, and even if it is, it's done only so they can get a certificate with the same name. How can you authenticate them with a bullshit name? Authentication means proving who they are, which this isn't doing at all. And I don't mean to be ultra-picky, but if you couldn't get a driver's license with the name, or open a bank account with it, you probably shouldn't be able to get a certificate with that name.
          • I'm sorry, my post was a bit out of context -- in fact, I hadn't even seen that VeriSign issues certs to fake names. What I was protesting against is all these people saying things such that VeriSign should not issue certificates to makers of malware, regardless of what they call their companies.

            That is abusing the technology in the sense of using authentication for authorization, which is, objectively speaking, wrong.

            Of course, as you say, VeriSign shouldn't grant certificates to obviously faked names.

            • Just because you wouldn't operate a business under that name doesn't mean somebody else hasn't actually registered it.

              I remember a story on a guy who registered long distance provider company names. Names such as "I don't care", "Any", "Pick one".

              These were typical responses when an operator asked which carrier, and since the name, as specified by the customer existed they were obligated to use it.

              Needless to say the rates for those particular companies were some of the highest.
          • by itchy92 ( 533370 ) on Monday February 14, 2005 @08:57AM (#11666848)
            "CLICK HERE TO INSTALL" is not a legitimate name, not even a legitimate business name

            Sir, I resent your libelous filth and my legal counsel will be conacting you shortly.

            Aaron Firouz
            CEO
            CLICK HERE TO INSTALL, LLC.
        • by thatnerdguy ( 551590 ) on Monday February 14, 2005 @08:25AM (#11666650) Journal
          setting "sex bits" on IP packets to indicate sexual content.
          Are those like the Evil Bits?
    • Yes well, that doesn't help Joe Sixpack who reads "CLICK YES TO CONTINUE" and does it. The typical person, who chooses to trust og distrust the VeriSign CA would obviously not fall for this.
      • Re:Meanwhile (Score:5, Insightful)

        by elgaard ( 81259 ) <elgaard@@@agol...dk> on Monday February 14, 2005 @05:04AM (#11666027) Homepage
        It would help Joe Sixpack if he used a browser that did not trust the VeriSign CA per default.
      • The typical person *is* Joe Sixpack.

        Moll.
      • Re:Meanwhile (Score:5, Insightful)

        by sbryant ( 93075 ) on Monday February 14, 2005 @06:53AM (#11666299)

        Yes well, that doesn't help Joe Sixpack who reads "CLICK YES TO CONTINUE" and does it.

        At least he read it! I know plenty of people who will just click OK without even looking at what they're agreeing to.

        The trouble is that lots of people don't understand what is being asked of them (so many give up reading at all). Signed certificate? While I could explain what it is, how do you teach people to be able to choose the good from the bad? Some are definately not so easy to spot.

        Ol' Joe should be more distrusting of these things, but isn't.

        -- Steve

        • by ianscot ( 591483 ) on Monday February 14, 2005 @08:17AM (#11666608)
          I know plenty of people who will just click OK without even looking at what they're agreeing to.

          Which should tell us there's a bigger problem here than whether Verisign is, in the fashion of the AKC, turning a blind eye to puppymillers who'll pay for registration papers.

          If users have been conditioned to routinely say "yes" or "OK" to anything they see, it's partly because the APIs they deal with all day long encourage the writing of bad, unintelligible dialogs. Anyone who's ever waded through the "Yes No Help" dialog box when saving to a .csv file from Excel knows this problem. That one's unreal: they give us a bulleted list in the dialog that basically translates the buttons.

          It's no accident that tons of the spyware pop-ups out there look like Windows dialog boxes. People are so used to clicking through horribly-written dialogs that they don't pay any attention. A better set of API default dialog types would nudge everyone, programmers and users, in the direction of actually readable dialogs that mean something.

    • Re:Meanwhile (Score:5, Insightful)

      by strider44 ( 650833 ) on Monday February 14, 2005 @05:02AM (#11666020)
      Tell me then, what's the point of having a certificate when you can get it under any name you want, for any (possibly) malicious piece of software? If it doesn't give any indication of being trust worthy at all then it's absolutely worthless!

      It's ironic that a Microsoft representative a little while ago criticising Firefox not paying for a certificate for the download. What is to stop someone registering "Firefox Browser" or "Click Yes to Download" instead? Certificates when they are so easily abused like this are only detremental - they create a fake level of trust.
      • This is the point - this means that if, just by accident, it turns out that the given software performs illegal actions, uses your computer to store kiddie porn or starts to send spam to .gov or .mil adresses, verisign can track the body it issued sertificate to and hold it accountable.

        And it has nothing to do with actual quality of software it has signed.
      • Re:Meanwhile (Score:5, Informative)

        by DarkTempes ( 822722 ) on Monday February 14, 2005 @06:26AM (#11666233)
        the point of a certificate is NOT to verify that the company/person is a trustworthy company/person

        it's to verify that the software is FROM the person/company on the certificate

        certificates verify identification/authentication -- they are NOT an indication of trustyworthy software, nor are they supposed to be.

        the problem is literacy and common sense, something that many people seem to lose the minute they touch a computer.
        • Re:Meanwhile (Score:3, Insightful)

          by SiChemist ( 575005 ) *
          But the point of the article was that Verisign was not enforcing its own rules. Some of the company names on the certificates were FAKED. In that instance you can't verify who the software is FROM in any meaningful way.

          At least part of the problem is that Verisign is unwilling to make even the smallest effort to end trickery using its service.
          • It's about trust (Score:3, Insightful)

            by budgenator ( 254554 )
            Verisign's main corporate asset is trust, the entire certificate business is centered arround that trust. What we have to trust is that Verisign has in place an effective mechanism to insure that entities are in fact who they say they are and is applying that mechanism effectivly. It appears that Verisign is not effectivley applying that mechanism, and are wasting their most important asset. For quite a while I've suspected that a Verisign cert only meant that some paperwork was filled out and a check cash
      • Re:Meanwhile (Score:2, Insightful)

        by sl4shd0rk ( 755837 )
        > they create a fake level of trust.
        Yes, but they generate a *huge* volume of capital and this is what drives the interweb now.
      • Re:Meanwhile (Score:3, Interesting)

        by DrXym ( 126579 )
        The thing though is, that at least IE insists controls be signed. Firefox does not insist that extensions be signed.

        Now controls are unarguably the bigger danger, but that does not excuse the weak security defaults that Firefox uses for extensions. A user can install any extension without a clue as to who wrote it, or even if it was tampered with. The default policy should be accept signed extensions and not accept unsigned ones at all. If people want to change that preference, that's their own business,

        • err Firefox doesn't really let you do that extremely easily

          you'll click on the 'extensions' file
          firefox will pop up with a notice up top that you need to add that to the allowed list, you do.

          then you have to click it again to let firefox install it.

          if something is 'signed' it would just pop up once, be like "Do you trust this certificate (not do you trust this site)", average joe is stupid and just says yes always, and then it installs.

          seems to me firefox's method for extensions is actually harder than
          • Firefox is using domain trust as a poor man's code signing.

            It doesn't do you much good if the site in question has been hacked or is subject to a man in the middle attack. You as the user have no idea in either case if that extension has been tampered with because it has no signature.

            Neither domain trust work well when the domain in question hosts hundreds of controls. For example, once you've trusted the Mozilla extensions website, the domain check is not going to protect you from downloading something

      • The point is... (Score:5, Informative)

        by davegust ( 624570 ) <gustafson@ieee.org> on Monday February 14, 2005 @11:25AM (#11668417)
        The point of certificates is to prevent impersonation of trusted sources by untrusted sources. Anyone can register a valid company name. Verisign considers proof of name a printed phone listing (they call you back at the published number) or a notarized copy of a business license.

        So somebody seems to have registered a company name "Click YES to continue" in some state. It's probably a legal company name. I agree with the author that this is obviously deceptive practice, and Verisign should revoke the certificate revoked. In addition, we should be able to complain to Verisign about other companies violating the Verisign agreement.

        I don't know what they do if the company name is a duplicate of another previously registered name.
    • Re:Meanwhile (Score:5, Insightful)

      by Anonymous Coward on Monday February 14, 2005 @05:05AM (#11666028)
      Aside from the enormous inconvience actually practicing this with high security settings.

      If Versign is making certain claims about their trust worthiness, and that of the people they certify, they should be held accountable when those claims are demonstratibly false. They're lying for money. No it might not be the end users money, but it's their time that's being stolen, and Verisign is doing it for money. And while there certainly is some wisdom in being a wary buyer, I think their is something to be said for forcing people to keep their promises to the larger marketplace. "Oh, they're rich, it's good for their business.", doesn't exactly put me in a benefit of the doubt kind of mood.
    • Re:Meanwhile (Score:3, Informative)

      by evilbuny ( 553280 )
      Ever tried removing these certificates out of MS IE on winXP, they buggers just keep getting downloaded and reinstalled and so far I don't know any way to disable this "feature"
      • Re:Meanwhile (Score:4, Interesting)

        by X0563511 ( 793323 ) on Monday February 14, 2005 @05:28AM (#11666083) Homepage Journal
        I remember after digging around in the MMC seeing somewhere that Verisign is not only trusted by IE, but XP itself!

        There's a copy of their public certificate on your machine - that's how IE can tell if it really was Verisign that signed it.
        • Re:Meanwhile (Score:3, Informative)

          by ergo98 ( 9391 )
          Verisign is not only trusted by IE, but XP itself!

          Verisign is recognized as an authorized certificate authority because Windows has a central certificate store that can be used for a wide variety of applications (much more than just browsing the web). This sort of seems like a logical, good design way of doing it (rather than each app having an island of certificates).

          The root certificates that you are speaking of, which you can find in the MMC snap-in Certificates, have specific uses that they are allow
    • by Anonymous Coward
      The beauty of certificates is, you decide who you trust. If you object to VeriSign's practice of issuing certificates to spyware/adware makers, simply don't choose to trust VeriSign's root certificate. This is only a temporary measure, I guess.

      Indeed.

      Basically a certificate signed by Verisign is just that and only that. It's a certificate signed by Verisign. It doesn't say anything about the person or company presenting the certificate, their partners, business practices, history, ethics or ANYTHING EL

  • Yes, but (Score:3, Insightful)

    by unkaggregate ( 855265 ) on Monday February 14, 2005 @04:54AM (#11665992) Homepage
    what happens when they stop using such blatantly obvious names and go with more subtle made-up names?

    Heck, what if they start using a thesarus to pick complicated sound names that sound cool?

    • Re:Yes, but (Score:3, Insightful)

      by TLLOTS ( 827806 )
      While I expect you're correct in your assumptions about what peopla attempting to abuse this would do, shouldn't VeriSign still perform some verification of the companies details given and ensure that if false information is given, that they can somehow contact the person who brought in the application for the certificate.

      After all, if there's no real verification done then what good are these? It seems like they're more $200 - $600 licenses to trick users into donwloading your spyware.
  • by tjlsmith ( 583149 ) * on Monday February 14, 2005 @04:55AM (#11665994)
    And since the purpose of opportunistic companies like Verisign, who's keys are no better than anyone else's, is to make as much doe ray me as fast as possible, why are they going to do this?
    • I would assume, since they're one of the bigger companies out there, that they think it will make them look good. If they don't crack down on the fraudsters, there's a risk that people will stop trusting Verisign. In which case, no more profits for them.

    • I think what needs to happen is for a large corporate customer (one that has been victimized by adware/etc) to sue Verisign over their negligence, or fraudulent representation of their certificates. Might make a nifty class-action suit, too.

      I mean, if they issue a certificate to a company named "CLECK YES TO CONTINUE", then they're not even making a token effort to provide the services they claim.
  • by nuclear305 ( 674185 ) * on Monday February 14, 2005 @04:58AM (#11666005)
    I can't deny that VeriSign should be doing a better job with stuff like this, but I certainly don't believe in the claim that by taking their certs away that drive-by downloads will cuddenly stop.

    The real problem is the fact that nobody bothers to read the window that has just popped up in front of them. I'm guilty of this myself, there have been times I've not even recognized a problem with certs on my own servers the first few times clicking through.

    My saving grace is that I never ever click an OK or YES button unless I'm expecting one. That simple rule has kept me from ever having anything installed using this method. The problem is that not everyone understands that they should not agree to every popup window they see. It's not going to matter if it claims to be authorized by God himself; if it has a YES/NO/CANCEL option and the user is not security-aware the person will probably say yes. I think educating people would be more effetive than trying to get the CAs to revoke the certificates.

    I'm sure there will be plenty of the "Use FireFox, Problem Solved!" comments as well. I have experienced, rarely, where a drive-by site is impossible to say "no" to when under Firefox and eventually crashed the browser but IE under SP2 handled itself very well on the same page.
    • by ZiZ ( 564727 ) * on Monday February 14, 2005 @05:21AM (#11666067) Homepage
      I'm sure there will be plenty of the "Use FireFox, Problem Solved!" comments as well. I have experienced, rarely, where a drive-by site is impossible to say "no" to when under Firefox and eventually crashed the browser but IE under SP2 handled itself very well on the same page. Right, IE just calmly and quietly installs the software for you if you're not computer-savvy enough to say 'yes' to the dialog box to start with. ;) Seriously, though, I think that the /possibility/ of letting computers auto-install software that doesn't /directly/ come from a company that you've already approved - that is, Microsoft updates for Windows, Mozilla Foundation updates for Mozilla or Firefox, Adobe updates for Photoshop - causes more problems than it reduces headaches. Make people go through extra steps if they want to install FREE PR0N EXPAND YOUR PENIS NOW or A COOL SCREENSAVER FOR YOU, since computers have long been training your average user to just say 'ok' to any dialog box that pops up.
    • Ive had a couple drive-bys in firefox. Malicous Java scripts, no signing needed.

      Fortunatly enough my AV caught them and kept them from spreading, but firefox died and had to be restarted.
    • by JudgeFurious ( 455868 ) on Monday February 14, 2005 @06:03AM (#11666185)
      I know what you mean about never clicking "OK" or "YES" buttons, hell I won't even click "NO". Ok, so it's not so much a problem these days what with the OSX and the Mac but at the end of my Windows "experience" I simply decided that nothing that popped up could be trusted. I got the idea in my head that even the "NO" button was a lie.

      My own saving grace (I think) was that I got in the habit of always going down to the taskbar and doing the "right-click, close" bit.

      Education is the ticket but man, I question whether or not some of these people can be educated. I've been at this for over a decade in the same job, supporting the same people and the people I've been trying to teach continue to step on the landmines. Sure from time to time there's a success story or two with my users but for the most part the ones who are going to screw up continue to screw up.
      • by NardofDoom ( 821951 ) on Monday February 14, 2005 @09:41AM (#11667275)
        Part of Apple's Human Interface Guidelines is to avoid buttons that say "Okay" or "Yes." Buttons should have verbs in them telling the user what's going to happen. So, on a Mac, it says "Install" instead of "Okay." So you can be sure what's going to happen when you click it. Quite handy.
  • Keep on dreaming (Score:5, Informative)

    by Ubi_NL ( 313657 ) <joris.benschop@gmai[ ]om ['l.c' in gap]> on Monday February 14, 2005 @04:59AM (#11666007) Journal
    After the whole debacle with the DNS [whois.sc] somehow i don't see Verisign prioritize ethics over profit any time soon
    • Re:Keep on dreaming (Score:2, Interesting)

      by evilbuny ( 553280 )
      Not to mention the debarcle over punycode domains and Verisign not following RFC security guidelines to normalise domains before they allow them to be issued, seems they have a lot of fingers in a lot of pies at present to gain a lot of money from a lot of dubious practises....
  • by Anonymous Coward on Monday February 14, 2005 @05:00AM (#11666013)
    Help us for "free"?

    Remember the DNS hijack? They wouldn't back down untill they were sued and threatned repeatedly.
  • New Times? (Score:5, Funny)

    by HateBreeder ( 656491 ) on Monday February 14, 2005 @05:01AM (#11666014)
    Perhaps, one day after Drive-By Downloads are stopped, a new era could emerge...
    A time in which east-side nerds could live side by side with west-side nerds.

    I have a dream...
    • Perhaps, one day after Drive-By Downloads are stopped, a new era could emerge... A time in which east-side nerds could live side by side with west-side nerds.

      But hopefully not before Bill Gates is shot dead by Larry Ellison (a la Tupac Shakur), because Steve Ballmer dissed Oracle.

      Or maybe it was meant to be a 'West Side Story' reference, which suggests that the solution to the problem of bogus Verisign certificates is....

      Dance!

      I have a dream...

      Is that a quote from Martin Luther King, or ABBA?!
  • by millwall ( 622730 ) on Monday February 14, 2005 @05:04AM (#11666026)
    How come they only just now start to question companies with names such as "CLICK YES TO CONTINUE"?

    It's so basic that it's sad that they now issue this press release trying to make them look like good guys, even though it's so obvious and should have been looked into much earlier.
  • That requires VeriSign to actually do something and cuts into their profits.

    Look at the mess known as the domain registry and how much junk information is found in there. I'm sure the license for the SSL has the same requirements (and no teeth) just like the DNS registry does.

  • by Anonymous Coward on Monday February 14, 2005 @05:20AM (#11666063)
    I DARE YOU TO CLICK YES

    we were also considering

    CLICK YES YOU MORON

    OMG, WERE YOU SERIOUSLY GOING TO CLICK NO

    and

    THIS IS SO COOL, YOU GOTTA SEE WHAT HAPPENS WHEN YOU CLICK YES
  • Either that or they face the "threat" that more and more people switch over to Firefox which doesn't use ActiveX at all which in turn means less activex certification profits?
  • by Anonymous Coward
    is to design a mechanism for stabbing people in the face over the internet.

  • by Anonymous Coward on Monday February 14, 2005 @05:31AM (#11666099)

    Wanna get rid of spyware, adware and malware?

    CLICK YES TO CONTINUE [apple.com]
  • by Gareth Saxby ( 859006 ) <saxby182&hotmail,com> on Monday February 14, 2005 @05:33AM (#11666103)
    Too often do I trust the wrong sites, with owneres that I personally know myself, to then be bogged down with spyware alerts on my computer. I'm amazed at what Verisign has done in the first place, it makes them seem more concerned about earning money than security over malicious applications and code.

    The very cheek of it all, is that the main marketing technique on their website is to talk about security. I think if they were going to clean up their act, they would have done it a long time ago. No hope for some people.
  • by Anonymous Coward on Monday February 14, 2005 @05:35AM (#11666111)
    Reminds me of a comment on politics which also appeared on /. some time ago.

    It was proposed to change one's name to None Of The Above and run for presidency.
  • by Capt'n Hector ( 650760 ) on Monday February 14, 2005 @05:38AM (#11666118)
    Seriously. It blows my mind that I can create a site that can make a dialogue box pop up that when the user clicks "yes" can install software. Verisign can't be blamed for that mess. ActiveX, on the other hand, can. Here's how MY browser works: It displays webpages. If I want software, I download it to my desktop. I then choose to open it or delete it. No ActiveX, no auto-launcing/auto-installing/etc bs. What's so hard about that?
    • by MichaelSmith ( 789609 ) on Monday February 14, 2005 @06:00AM (#11666177) Homepage Journal
      Here's how MY browser works: It displays webpages

      My Sister-in-law runs redhat 9 (because I installed the system)

      She tells me that she often goes to sites which offer games which she (or her son) would like to run. Most of the time they don't work either because they need java or activex, or because they are just broken

      Either way it is my fault for giving her a PC which doesn't do all these things

      You and I have reasonable expectations about technology. The person in the street has different expectations and they drive the market

      • Most of the time they don't work either because they need java or activex, or because they are just broken.

        Both ActiveX and Shockwave won't run, short of running WINE, but Java? All you have to do is download the RPMs from here [java.com].

    • It's absolutely incredible and totally unacceptable that there isn't an option "Don't install anything. Like, ever.", and that it isn't set by default. IE has a checkbox in the advanced settings called "Enable install on demand" but unchecking it makes no difference as far as I can see.
      • by jrumney ( 197329 ) on Monday February 14, 2005 @06:16AM (#11666209)
        IE has a checkbox in the advanced settings called "Enable install on demand" but unchecking it makes no difference as far as I can see.

        Unchecking it prevents IE from offering to download IE language packs when you visit a website you cannot view with currently installed languages. Nothing more. If you have all the languages you can read installed already, then you probably won't want this checked.

        • Silly me for not realising that it's specifically to do with languages. After all the clues were blindingly obvious to see:
          1) the word "language" does not appear in the label,
          2) or the header of the section it's in,
          3) or the help that comes up with [?].

          Not having a go at you there, by the way. Unless you're a usability specialist at MS.

      • There is. Alter the settings for the Internet security zone to deny all activex content, etc etc. While you're there, you can turn off all the other shit that MICROS~1 has fucked up the 'net with.
    • I think the problem is, for the average joe, ALL browsers are "broken" from the get go. They can't properly display half the sites out there because those sites depend on some BS plugin that is not included.

      So people learn that in order to get thier computer thing to work, they have to constantly be installing the latest flasholio plugin 5000(TM). How is such a person going to know trustworthy from not?

      • They could allways Google for the organisation name displayed on the certificate. You know, do a little research.

        The same people wouldn't go out and randomly buy a car, or a cooker, or a washing machine, without going to Which, Consumer Reports and so on check on the reputation of the company that makes the goods.

        Ok, some would. But they get what they deserve.
  • "Now, Ben wants VeriSign to clean up its act"
    And of course VeriSign will immediately go "Sir, yes Sir, we will Sir! We've already started bending over backwards, Sir !"
  • by littlem ( 807099 ) on Monday February 14, 2005 @05:53AM (#11666165)
    Now, Ben wants VeriSign to clean up its act: it should refuse to issue certificates to companies that use obviously fake names (such as "CLICK YES TO CONTINUE") or that use those certificates to deceive consumers."

    Come on! Verisign's whole business model is to sell as many certificates as it can - it's simply not in their interests to show scruples like that. Verisign have the MicroSoft seal of approval, so for the average desktop user that makes their reputation beyond suspicion, so they have nothing to lose.

    • In the long run, this sort of thing will undermine trust in Verisign's certs and in digital certificates in general. At that point, the market is open for a new cert company that does a more thorough job of researching the companies to whom they grant certs. Verisign should know this, however years of experience with them convinces me that they probably don't.

  • by Bob64 ( 844867 ) on Monday February 14, 2005 @06:25AM (#11666229)
    From what I have seen, I believe that the employees at Verisign are "Clicking yes to continue" when approving certificate requests. Or someone mistakenly clicked the "Yes to All" button.
  • The answer (Score:5, Informative)

    by tinus ( 106997 ) on Monday February 14, 2005 @07:10AM (#11666348)
    This is what Verisign answered when I asked them the same question last year (and then refused the stupid automated reply):
    In response to your email, when this company submitted their request for a
    digital certificate, we followed our standard authenticiation &
    verification policies to make sure of the following:

    1. That the company, Click Yes To Continue, is indeed a legitimate company
    and has the right to conduct business under this company name, which was
    confirmed using an online, 3rd party web site for validating companies
    located in Canada.
    and
    2. Received a valid phone bill from the company, in which we used to call
    the company back & confirm the order.

    Please note that when a company obtaina code signing certificate, we DO NOT
    validate their code, as the customer has to agree to our certificate
    policies before even submitting their requets online.

    Therefore, we did not issue a certificate to a 'fake company'. However, we
    will forward your email to our internal security department and Verisign
    Lawyers to see if this company is indeed distributing fraudulent code using
    a certificate obtained through Verisign.

    Obviously, nothing happened afterwards.
  • Obviously (Score:4, Informative)

    by evanh23 ( 584055 ) on Monday February 14, 2005 @07:30AM (#11666416)
    Obviosly 90% of the people posting in this discussion have no practical experience with this subject. The certificate in question is a code-signing certificate. Have you ever bought (or tried to buy) one of those from Verisign? I have and let me tell you--it is a royal pain in the ass. I can say with almost certainty that those certificates that are from a company called "CLICK YES TO CONTINUE" did not come from Verisign.

    It took me nearly two weeks to track down all the paperwork to get my code signing certificate (authenticode). The process includes designating two contacts, faxing over several forms (including a valid county business license for the company name on the application) and a notorized agreement of indemification because they weren't able to do 3rd party identity validation on my company (they look your company name up in the white pages and call the number to make sure it exists and that you do indeed work there. My company wasn't in the phone book.) They also try to look you up in D&B. This all came after giving them the $500 for the certificate.

    That being said, I don't see how anyone could get away with purchasing a certificate such as described in the article from Verisign--maybe Thawte or another. IMO Verisign is taking some flak here due to /. ignorance.
    • Re:Obviously (Score:3, Informative)

      by kalidasa ( 577403 ) *

      Read the posting directly above yours [slashdot.org]. Verisign did indeed approve this certificate. So much for your near certainty.

      The company exists, under that name. The fact that the name was obviously chosen with fraudulent intent doesn't seem to concern Verisign too much.

    • I'll think that you'll find that although the code appears to come from a genuine company, and is autheticated by Verisign, the name of the actual plug-in has a name such as 'Please Say Yes'.

      A friend of mine forwarded me a link to a site last year containing one such dodgy plug-in (a dialer app) which did this. The site has since been taken down, though.
    • Re:Obviously (Score:2, Interesting)

      by OhPlz ( 168413 )
      This boggles my mind too. I've renewed the same server certificates for years and some code certs, it's a royal PITA. Every year they manage to throw a wrench in the process somehow, oh.. this obscure peice of data we got from this place doesn't exactly match your company's street address or we called once at 3am and no one answered.

      I'm amazed anyone can get through all that with bogus information. You'd think that someone with that kind of determination could be doing something better with their skills
  • brilliantly myopic (Score:3, Insightful)

    by tverbeek ( 457094 ) on Monday February 14, 2005 @07:34AM (#11666431) Homepage
    The fact that the author is suggesting that Verisign do this points out why it's such a bad idea, a cure worse than the disease. Who here trusts Verisign? So why should we make them (or even let them become) arbiters of whom to trust?

    Teaching individual users to be more informed and responsible about whom they trust may be difficult, but it's better than entrusting a private, unaccountable, quasi-monopoly (let alone one with a history of un-trust-worthy behaviour) with that decision.

  • Why hasn't this company been banned from having anything to do with the Internet?

    Time and time again it gets busted doing crap like the SiteFinder fiasco and still they get away with it.

  • Comment removed (Score:3, Interesting)

    by account_deleted ( 4530225 ) on Monday February 14, 2005 @07:52AM (#11666480)
    Comment removed based on user account deletion
  • by Donny Smith ( 567043 ) on Monday February 14, 2005 @07:54AM (#11666491)
    Firefox should have a mechanism to assign different levels of trust to CAs - http://www.openca.org/openca/ would have a higher level and VeriSign a lower level.
    This could be changed by the end user, though.

    When the user gets presented with a dialog box, Firefox would suggest the user to not trust VeriSign-signed sites.

    The "VeriSign penalty" could be adjusted in each new release based on their willingness to ge their shit together. Fuckos.
  • The other solution is to quit treating digital certificates as something to do with trust (the authorization-vs-authentication fallacy). Microsoft's stupid "security zones" model takes this blatant idiocy further than anyone, but all browsers have adopted some similar conceptual structure.

    A certificate doesn't tell you anything about whether a web site is secure, trustable, or anything else. It simply provides a slightly better verification of identity.
  • by MadCow42 ( 243108 ) on Monday February 14, 2005 @08:51AM (#11666806) Homepage
    The only real use of a certificate is to show that the software you download is actually from the company that it's claiming to be from.

    The trust-worthiness of that company is still in debate... you just now know who it is you're dealing with.

    MadCow.
    • The only real use of a certificate is to show that the software you download is actually from the company that it's claiming to be from.

      It doesn't really even tell you that much. All it does is authenticate the DNS name in the URL. In a few cases it might be possible for the certificate issuer to do more than a cursory investigation of the company name, but not routinely at the prices they have to charge to actually sell certificates.
  • by Anita Coney ( 648748 ) on Monday February 14, 2005 @09:05AM (#11666916) Homepage
    Seriously, anyone who clicks on crap like that deserves to get screwed! My father-in-law is one of those types. It's a compulsion. He clicks on any spam, pop-up, or banner ad no matter how many times I've told him to stop. I had to set up a very restricted user account on his computer. Essentially he's unable to download or install anything. But he's been spyware free for over a year now.
  • by xmas2003 ( 739875 ) * on Monday February 14, 2005 @09:22AM (#11667063) Homepage
    Very much related to this is the massive DDoS that Ben had on his site - peaked out at 600 MBYTES/second [blogspot.com] and also mentioned prominantly in the referenced slashdot article above. [benedelman.org] Gotta wonder if the cockroaches (aka spyware companies) are getting just a little pissed off at Ben?!?

    Read my Technocrat article for more info [technocrat.net] and I also submitted to Slashdot, but it got rejected - oh well.

  • Do you want to install and run "ULTRA-FAST P3N!$ ENHANCER 4.3" signed on 3/27/2003 10:54 AM and distributed by:

    CLICK YES TO CONTINUE

    Publisher authenticity verified by VeriSign Class 3 Code Signing 2001 CA Caution: CLICK YES TO CONTINUE asserts that this content is safe. You should only install/view this content if you trust CLICK YES TO CONTINUE to make that assertion.



    [] Always trust content from CLICK YES TO CONTINUE.
  • by CodeBuster ( 516420 ) on Monday February 14, 2005 @11:47PM (#11674995)
    After reading the article I was reminded of the common practice in the late 1980s and early 1990s, before cell phones were nearly as common as they are now, of people registering long distance phone companies with names like "it doesn't matter" and "makes no difference" so that when an unsuspecting pay phone user, at an airport say after a long flight, was asked which long distance company's services they wanted they would get stuck with one of these unscrupulous operators who would then proceed to charge them out the nose, ~$5.00+ per minute, for the call (especially on those card phones which took credit).

"Old age and treachery will beat youth and skill every time." -- a coffee cup

Working...