Should VeriSign Be the Name Police?

By Larry Seltzer  |  Posted 2005-02-21 Print this article Print

Updated: Opinion: Could you imagine a company named "CLICK YES TO CONTINUE"? I could, and so could VeriSign—and they were sort of right. But nothing's perfect.

Im glad that Im still shocked when I find something innovative in its dishonesty, even though it seems to happen every other week in the computer security business. Anti-spyware advocate and researcher Ben Edelman publicized one of these recently in the form of a company that distributed adware signed with a Thawte digital certificate using the company name "CLICK YES TO CONTINUE." Security insiders keep an eye on Edelman, a candidate for both law and economics Ph.D. degrees from somewhere called "Harvard." More than once he has brought interesting secrets of the industry to the forefront. In this case, he may have jumped to a conclusion, depending on what he meant to say.

Please read Edelmans article to see screen grabs of the software and certificates at issue. Verisign revoked the "CLICK YES TO CONTINUE" certificate shortly after Edelman publicized it.
Its Edelmans contention that the examples he provides show that VeriSign is not enforcing the rules they set for recipients of their digital certificates. The first example is the real eye catcher: Its an ActiveX installer with the company name presented from the certificate being "CLICK YES TO CONTINUE." The motivation, it would appear, is to trick the drunk and/or stupid user into clicking the Yes button without further scrutiny of the company whose software is being installed. Edelman calls this an "invalid company name."

What are VeriSigns rules for granting a certificate? If I claim to be will they grant me a certificate for Wal-Mart Inc.? No. Read VeriSigns Authentication Guide for the list of checks they perform to verify that you are who you claim to be and that you have a right to use that name. Its not an easy process to scam. Obviously, VeriSign tries to automate as much as possible of the process, but they do have humans involved and such certificates are not cheap. Incidentally, the Edelman examples all involve code-signing certificates, which are peanuts compared to SSL certificates, the overwhelming majority of the certificate market.

Click here to read about VeriSigns plans for RFID security enhancements. And yet VeriSign issued a certificate for "CLICK YES TO CONTINUE." Thats because, according to Chad Kinzelberg, vice president at VeriSign, its actually a legitimate name for that business. This answer really got me, as Id never considered the possibility, and perhaps Edelman didnt either.

VeriSign goes on to say that as soon as they found out what CLICK YES TO CONTINUE was doing with their certificate it was revoked for violating the terms of the license. The same is true of the other examples Edelman provides. In one of these, Edelman claims that a product name ("VIRUS FREE") is misleading.

Now, how is VeriSign supposed to know that? Is it really so hard to imagine a legitimate program named "VIRUS FREE"? So unless Edelman expects VeriSign to require certificate customers to clear all uses of certificates through the VeriSign Certificate Police I dont see what he expects them to do proactively.

In such cases all one can expect is that they will revoke the certificate retroactively for violation of the license, for instance if its used for spyware or another product that breaks laws. The CLICK YES TO CONTINUE example is a little more complicated. Once again, I ask: Is it so hard to imagine a company name "CLICK YES TO CONTINUE"? In retrospect its clear they used it to try to mislead the user, and so it was a violation of the terms of the license, but was it the kind of name that should have been denied at the outset? Im uncomfortable with the idea of VeriSign making such decisions.

I dont have any way to verify VeriSigns claims independently, but they seem reasonable to me. VeriSign is one of those big companies, like Microsoft, that take a lot of abuse, much of it undeserved. But even with such easy targets we need to be reasonable in our criticism.

Editors Note: This article has been modified to remove a claim by Verisign about when they contacted Mr. Edelman that Verisign has withdrawn. For more details, see a follow-up column, "Company Name Police Squad II". Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel