Ben Laurie blathering

Trust Me, I’m Signed!

The W3C recently announced their spec for signing widgets. Signing things is a good idea, if you’d like to be assured that they come from where you think they come from, or you want to detect tampering. But I would have hoped we were way past statements like this

Widget authors and distributors can digitally sign widgets as a trust and quality assurance mechanism.

If trust and quality were assured by signatures then our lives would be so much easier – but sadly it is not so. Indeed, it is so much not so that CAs, in an amazing piece of marketing, have managed to persuade us that, since they work so poorly for trust, what we should do is pay them even more money to get more robust signatures (a.k.a. EV certificates)!

Anyway, I was sufficiently irritated by this stupidity that I felt it necessary to remark on it. Which prompted this absolutely brilliant response from my friend Peter Gutmann

From the report:

Of signed detected files, severity of the threats tended to be high or severe, with low and moderate threats comprising a much smaller number of files:

Severe 50819
High 73677
Moderate 42308
Low 1099

So there you go, signing definitely does provide a “trust and quality assurance mechanism”. If it’s a CA-certified signed rootkit or worm, you know you’ve been infected by the good stuff.

“the report”, by the way, is a large scale study by Microsoft which makes for some interesting reading. In particular, they also acknowledge that even the promise that signatures would at least let you track down the evil bastard that wrote the code has proven empty

Though also intended to identify the signing parties, Microsoft has been unable to identify any authors of signed malware in cooperation with CAs because the malware authors exploit gaps in issuing practices and obtain certificates with fraudulent identities.


  1. […] this is a lead up to saying I found this piece on a proposed W3C spec for digitally signing widgets by Ben Laurie very timely: “Trust me, […]

    Pingback by Assurance for eParticipation Widgets « Spartakan — 7 Apr 2009 @ 16:12

  2. […] Code Signing Can Be Trusted (but not blindly) By Craig H Ben Laurie, who certainly knows security, and is a top bloke for the work he has done on FreeBMD, blogged yesterday on why signatures don’t provide assurance of trustworthiness or quality. […]

    Pingback by Code Signing Can Be Trusted (but not blindly) « Symbian Foundation Security Blog — 8 Apr 2009 @ 15:24

  3. Sorry, but I think you’re making your point too broadly. I believe that there are some signing models that can assure some degree of trustworthiness and/or quality, and the W3C widget signing syntax could be used in them.

    Comment by Craig Heath — 8 Apr 2009 @ 15:34

  4. Ok, fair enough. That was a dumb statement to make on our part. We will remove it from the spec. Apart from that, was the spec ok?

    Comment by Marcos Caceres — 9 Apr 2009 @ 12:16

  5. Hi, we are trying to address your issues at the W3C. The offending sentence will be dropped. Please send us feedback relevant to the spec.

    Comment by Marcos Caceres — 22 Apr 2009 @ 16:38

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress