UAC complains VLC is unsigned.

So... certificates are useless... because CAs get hacked?

I take it you don't bother using HTTPS on your banking site right? Because someone probably just hacked the cert.

The CA system has massive problems, but applications should still be signed.

 

The only thing that HTTPS ensures is that the connection is encryped. (Oh wait, not even that really, not just b/c of MITM and/or hacked CAs, but also just useless when someone issues a "top secret" * certificate for usage on a traffic inspection appliance. Not kidding you, that actually happened.) Frankly it probably still happens all the time in China.

Yeah, because you want to have comfortable policies on "legit" signed malware.

 

I don't care if malware is signed. Doesn't make my life any harder, at all. Not just talking about Applocker here, which I consider to be absolute low-tier security with few benefits.

Having unsigned legitimate programs does make policies really difficult to maintain though.

 

In case you want something signed because you cannot be bothered to maintain policies, you are more then welcome to donate $$$ to them for the purpose. I just cannot see how such policies make sense, but since you "don't care if malware is signed" I assume you will be entirely happy with a situation where your comfortable zero maintenance policy all of a sudden applies to malware just because it was signed e.g. by "Microsoft". Hmmmm.

 

I'd be pretty comfortable with that, yes.

 

What a lovely discussion.

Hungry Man is right when mentioned that digital signatures/certificates are meant to bind people <-> software. This is one of the issues with CAs (I think I've mentioned in one of my posts. Didn't check. ). I actually believe that recently digital signed malware was found and it was using a certificate issued to some company in Brazil that no longer exists, at all. Just one example. There are more, I'm sure of it.

In a day and age where more and more security solutions do not scan files if digitally signed (I think there was some discussion about this in a recent past at this forum, but also mentioned across the Internet.), digital certificates are a pain in the .... It goes from this -> (_|_)... to this -> (_O_). This is how I see certificates.

Regarding to already running software, regardless of being signed or not, hashes are the way to go... just not practical. Certicates are nothing but a false sense of security, but considering that they are widely used, especially for enterprises where unsigned software is not allowed, then it would make sense to digitally sign the software, if the developer(s) want to target such an audience as well.

But, as I mentioned before, it's about trusting what the application does, and not the certificate or hash (if yet to be downloaded). To know and trust what it does, you need to analyse it. This is one of the great things about open source projects, because you get to study the source code and recompile it yourself.

I think some fine folks do this, especially for encryption software.

 

Looks like it hurts lol

I disagree about hashes being the way to go though. There's no way to automate policies with hashes in a secure manner.

 

Which is why I said is not practical. But, they are the way to go, if one doesn't mind the time and effort.

 

Well, we'll just have to agree to disagree on that one =P

 

I disagree as well with hashes as the way to go, and only because of how impractical it is to maintain them, even with a semi-automated approach like using Powershell.

With a policy like AppLocker being utilized, as long as the files are obtained from a trusted location and verified safe to use and they perform their intended purpose, digitally signed makes it easiest to maintain the policy. What I think makes it difficult enforcing a safe policy are the unprotected user-space directories being abused utilized by a number of programs, but that's another topic.

 

How exactly are you going to protect yourself from digitally signed malware, using the stolen digital signature of your safe application? This is the one problem with digital signatures.

So, if I allow Publisher A, and malware is using Publisher A signature, this piece of malware has a free pass.

I agree that hashes are impractical, but digital signatures... how realibly can we depend on them?

 

You're still assuming applocker.

For applocker a stolen cert that belongs to the whitelist is enough for a full "bypass". Not all policies are "execute" or not.

A certificate will be useful for any policy that requires the ability to track a program across versions. Hash based policies can't do that. Certificate based policies can.

 

Who? Me? I didn't mention AppLocker once.

 

What I mean by that is that for something like Applcoker the payload either runs or it doesn't. In this case a certificate rule is less secure than a hash rule, because you can't steal a hash (not without tons and tons and tons of money, or a really weak hashing scheme).

But with a policy that isn't relying on preventing the execution, that doesn't care if malware is executed, then signatures provide the *only* way to track a program across versions.

 

How is this goiung to transpire if I download from a known trusted site and verify upon installation it's safe and performs as expected?

 

Let's say I have a policy that says "Don't like programs signed by mozilla that register as Firefox access any files other than what Firefox can access". Why would I care if a malicious program stole the cert? They'd be opting into a sandbox.

Certs are perfect for policies.

 

Open Office is another offender.... At least LO got their act together.

 

I skimmed over the rest of the topic, but I just wanted to chime in and say MPC-HC started signing their binary releases as of around a month ago.

They're a much smaller project than VLC, so if they can do it, VLC really has no excuse.

 

although your point is valid,checking for hash is not everyone's cup of tea,digital signature at least on systems with UAC makes sense because i can tell a person who is not technically inclined not to install anything that says "Publisher:Unknown". I know from personal experience this has been partially effective from people getting infected.

 

Neither is knowing what digital signatures are everyone's cup of tea.
Let alone understanding the meaning of publisher and whatnot.
So if you're a nerd, you're a nerd all the way.
Mrk

 

I don't know what a trusted source is. If I download and analyse an installer, and come to the conclusion its safe, then the website where I downloaded it from is a trusted source, even if not a well known source (it may even be a new website created a few days ago), but if I download it from a well known source, and turns out its malicious, then it is not a trusted source. There have been cases when malicious crap was/is found in applications downloaded from so-called trusted sources.

There have been cases where security (official websites) have been hacked. I'd say this are meant to be trusted sources, but when do we know they stop being such?

This brings me to what you have mentioned and what I've mentioned for quite some time now: verification/analysis.

So, its not about the "trusted source" either, it is about what the installer/application does, regardless of where you download it from.

 

I thought we were discussing (for the most part of it, at least) security as well. Heck, we're on security forum.

 

Yes... sandboxing. That's another great discussion. But, then if the signed malware has a free pass to get installed (something that shouldn't happen, right?), and hijacks Firefox's executable, then the signed malware can access all that Firefox can access, and that includes Internet access as well. (In this scenario the bad guys do not want to raise any suspicion, and they just hijack the browser's executable.)

What good would be this policy? They could still be accessing important data. I don't like that policy... on its own.

 

Nothing on Windows would stop malware from executing by default in the case of social engineering. So the only thing that changes is that instead of access to the entire user account the malware would only have access to the specific files/folders.

I'm not trying to sell some policy here, and on its own that isn't enough anyways, but the point is that for any kind of policy where you want to keep track of a 'good' file, certificates are the best way to do so.

 

Various myths about CAs and SSL debunked here: https://casecurity.org/myths/