Never "Always Trust"
Thursday, September 1, 2005
If you've ever surfed to Microsoft's Windows Update site or a site that requires the latest Flash plug-in, you've seen the "Security Warning" dialog box. It's the one asking you if you'd like to "install and run" such-and-such a plug-in "signed by" such-and-such a publisher. This somewhat mysterious dialog box can actually go a long way towards protecting your computer online if you know how to interpret it.
The "Security Warning" dialog box tells you whether or not the file you're about to download has been signed. "Signing", in this context, refers to digital signatures. A digital signature is much like a real signature on a physical piece of paper. However, a digital signature also ensures the integrity of the signed content. It provides the browser with a mechanism to verify that the copy it received matches the copy signed by the publisher.
So, the browser knows that the code belongs to the publisher. But how does the browser know whether or not to trust the publisher? Simply put, it doesn't. That's why the browser presents you with a "Security Warning". The dialog box contains all the information that it knows about the publisher. The browser leaves it up to you to make a decision as to whether or not to trust the content. The browser even makes "No" the default option.
The question, then, is how do we go about interpreting the dialog box? You probably know that it's safe to click "Yes", for instance, if you surfed to the Windows Update site and the publisher is listed as "Microsoft Corporation". You might even trust Microsoft to distribute content signed by other publishers, including the Macromedia Flash plug-in. But what about content signed by "Microsoft Corporation" that's not published on the Microsoft site?
If you're on a questionable site, such as a site found via a web search or -- especially -- a site whose link you found in a piece of e-mail, then you probably want to play it safe and click the "No" button. That includes content signed by "Microsoft Corporation". You're better safe than sorry, and here's why....
A digital signature is created with a set of keys. One key, the private key, is used to sign the content. The other key, the public key, is used by your browser to verify the content. The public key, along with the publisher's name and other information, is all verified and signed by a Certificate Authority. This information becomes the certificate -- a stamp of approval of sorts -- for the publisher.
Each computer has a list of trusted certificate authorities like Verisign, Thawte and Geotrust. Certificate authorities are responsible for verifying the identity of the publisher (using documents like Articles of Incorporation or Dun and Bradstreet numbers). Once the certificate authority has identified the publisher, they then use their own digital signature to sign the certificate issued to the publisher.
That seems all well and good, but there are some problems with this approach. First, not all certificate authorities are created equal. It's considerably easier to get a certificate from some authorities than others. Second, mistakes get made. In one infamous case, Verisign issued certificates to an individual claiming to be "Microsoft Corporation".
However, it's also possible for an attacker to exploit code signed by a valid digital signature. Take, for instance, a hypothetical plug-in signed by "Microsoft Corporation". Let's say Microsoft actually wrote, signed and released the plug-in. Some time later, they realized there is a bug in the plug-in. The bug is a security flaw which allows a web site to take control over your computer. Microsoft, realizing the severity of the issue, takes the plug-in off their site and replaces it with a new version, sans-bug.
That's all well and good. However, there's nothing stopping a malicious Web site from offering up the original plug-in for download off of their site. If you ended up on this site, you'd be prompted to "install and run" content signed by "Microsoft Corporation". However, after doing so, the malicious site would be able to exploit the aforementioned bug.
And this is why you never check the option to "Always trust content signed by such-and-such". Remember the title of the article? It's a reference to a checkbox in the dialog box. If you check this option, then the browser will quit annoying you with the "Security Warning" dialog box when it encounters content signed by such-and-such. But as we now know, there are times when even code signed by otherwise trusted publishers should not downloaded installed.