Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Should VeriSign Be the Name Police?



 By: Larry Seltzer
2005-02-21
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Updated: Opinion: Could you imagine a company named "CLICK YES TO CONTINUE"? I could, and so could VeriSign—and they were sort of right. But nothing's perfect.

Im glad that Im still shocked when I find something innovative in its dishonesty, even though it seems to happen every other week in the computer security business. Anti-spyware advocate and researcher Ben Edelman publicized one of these recently in the form of a company that distributed adware signed with a Thawte digital certificate using the company name "CLICK YES TO CONTINUE."

Security insiders keep an eye on Edelman, a candidate for both law and economics Ph.D. degrees from somewhere called "Harvard." More than once he has brought interesting secrets of the industry to the forefront. In this case, he may have jumped to a conclusion, depending on what he meant to say.

Please read Edelmans article to see screen grabs of the software and certificates at issue. Verisign revoked the "CLICK YES TO CONTINUE" certificate shortly after Edelman publicized it.

Its Edelmans contention that the examples he provides show that VeriSign is not enforcing the rules they set for recipients of their digital certificates.

The first example is the real eye catcher: Its an ActiveX installer with the company name presented from the certificate being "CLICK YES TO CONTINUE." The motivation, it would appear, is to trick the drunk and/or stupid user into clicking the Yes button without further scrutiny of the company whose software is being installed. Edelman calls this an "invalid company name."

What are VeriSigns rules for granting a certificate? If I claim to be Sam.Walton@BeyondTheGrave.com will they grant me a certificate for Wal-Mart Inc.? No. Read VeriSigns Authentication Guide for the list of checks they perform to verify that you are who you claim to be and that you have a right to use that name.

Its not an easy process to scam. Obviously, VeriSign tries to automate as much as possible of the process, but they do have humans involved and such certificates are not cheap. Incidentally, the Edelman examples all involve code-signing certificates, which are peanuts compared to SSL certificates, the overwhelming majority of the certificate market.

Resource Library:

Click here to read about VeriSigns plans for RFID security enhancements.

And yet VeriSign issued a certificate for "CLICK YES TO CONTINUE." Thats because, according to Chad Kinzelberg, vice president at VeriSign, its actually a legitimate name for that business. This answer really got me, as Id never considered the possibility, and perhaps Edelman didnt either.

VeriSign goes on to say that as soon as they found out what CLICK YES TO CONTINUE was doing with their certificate it was revoked for violating the terms of the license. The same is true of the other examples Edelman provides. In one of these, Edelman claims that a product name ("VIRUS FREE") is misleading.

Now, how is VeriSign supposed to know that? Is it really so hard to imagine a legitimate program named "VIRUS FREE"? So unless Edelman expects VeriSign to require certificate customers to clear all uses of certificates through the VeriSign Certificate Police I dont see what he expects them to do proactively.

In such cases all one can expect is that they will revoke the certificate retroactively for violation of the license, for instance if its used for spyware or another product that breaks laws.

The CLICK YES TO CONTINUE example is a little more complicated. Once again, I ask: Is it so hard to imagine a company name "CLICK YES TO CONTINUE"? In retrospect its clear they used it to try to mislead the user, and so it was a violation of the terms of the license, but was it the kind of name that should have been denied at the outset? Im uncomfortable with the idea of VeriSign making such decisions.

I dont have any way to verify VeriSigns claims independently, but they seem reasonable to me. VeriSign is one of those big companies, like Microsoft, that take a lot of abuse, much of it undeserved. But even with such easy targets we need to be reasonable in our criticism.

Editors Note: This article has been modified to remove a claim by Verisign about when they contacted Mr. Edelman that Verisign has withdrawn. For more details, see a follow-up column, "Company Name Police Squad II".

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Should VeriSign Be the Name Police?
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}ks㶲*Q3CO#dKm9f|&UZ$CR8'['7n7%?&$4Fwh4#I"gnZ΄ܦdwÀ>]K$wB}wNUQV #7((bP<H񻧛fi /4w7w#<D&/hԎhTa@Y2d6;k6!o4vekOh cۨ_X&``1\t|TA!j :մnI۴Q$1q@ˡ] ]( Ѽ/$pm<$Q~c ( Cw&>tb9셨 )+Bt+"(?c& c?9;|'CϚ6?&?QI'6q_z^_'@;)E[G0歭_ϫ|tfs< s~3 CoZe؄j% =q7`JaC%LjZuL}:n-EӝÌfؖqSth(͡V*Z]QKru_):?"www;1ݻ 2+ѹkL(e? n8up;ZJ󺮕}U;ާ;yԼm g B'Fb}"UJ@DZ-gi" 0h!54trAH{tT畒A\7jy%Բ_/iv$1{P$hIcF/XTUGb9vmҹt.tO$oIJ1<ZMӀH Zzb#=Z V%uݻiw>u;}$'t6 +?;V'_W[Ulhxi5Hef[PePp9L+pz/~h/;dBˏGgcRdt,Atp~F X(-t[;RH3}yp%AX*R*Y4C! ,=2ɌcP5 4:];ȼ9AcE#}^7iJuV!aFC`qkn6 @̀kiF5 (,eg05@N)U1r{VvfM)o f|CUC-ͿE7+bԜөɛ!"ƈOn9Cx,ʹggd[o".ӰervZn֖Չ*YX[u5fjZY?iYwΤyi >^uڤٻw`Yyƺƻ EHY7-6I0qN}sQU1"Y*EE,@JKPL# e u< P @>O;3jZYc;Nkh|N>ƒ(6&ʋCPsiZnL-@sՇt7@+wO޺zL^ž*LКk}P#A :\TR}4 9q PhRP|s70Z@[3haP%[Ѽk:Fz?a#0. Zm{AeV~}̢Pwݐ<m@}fsĥ[ݲeǀԜ/uKd˕F M cRRR$S'!I#r*B,`@n%{ [A;B/V+\y"*M'8܉;T+/2LX)gQY,p[HQf)i2hƪńHVFNL1|PHW)tGL[QZ{}cThb8lX:Ŀuosj1هI 4ǢZQJ> D ȸla,Caڴ *;vm۽G Zfdݹ'+JЦVȹC@3@MqNW3pPS@ bN,(t=(U+ay@٘*# Wk Bo` 2l3sG/.ztw݉M% i4Q.)J5Ew` L] T< ty[= :6.w\@/ QPHWkX tаթ6-4&Tt a?"!1|ڧ>ns3R*/s7+ )T;fz^*k 6UUR;,Z 7;*Aq[ q@'|~_ћz?_3ch9tYkJo?CPt *pɥ~䣇*,*pȲ<aFL:K/sPX3~Wp1\FAn#>ҍ'i*r16~ Ziсbڠ{7>;#4Q5rRd2y@7P}m*tֳ>^#2!=z%>s?^if?eyXT*JZճ(*I$ [2t9t=d}k?ty/UUNSF;:9&ߐ@ڨO( ]?k88ŤX2N*,E$R(NYa hٌjj/BЃ`IC#'+Ȋ@G#+ ސOJ[GC~g$} W>V }b*kZQR^? +rk4rhỌش,7i -r iz⥺_-,sKiJg؋_q]rf)ty4ņ5#/4C䖶Fuq0 O)s44ڎpDM? )03aMٸUJ0iuI+KZԡ=2a{V$}?q\FI's3ҿ﹮u Bo0|7n=SGRiemRߑN[ }ĵ)$jZ#OdY. eժR+@8L3A 6Bs=ǃۻmpI75a Shx|{ [PHe$ $"ZkZ$apvOd+,7A<8&ov/?BhueajE6v܆kJT~jgZЍ)8FgMX2BNsE^)w4}һH'<d¼ǏDG/{ۻ8|HN;8L0~W/;^\/0C~?HNj=o(/ hdzNTH!v1i>bt۫M=-ck/[vt˰F:'Z@~ FEzA\9o]^l{g+~Ru/:R ARz0W#F:뾿8`1P*Ӻ@>n48L6Ms{kdܝa vH[!Rr_zW'^ptm՘{r qdQ5õhL٦;+ a Z`!oH}X!bPH\T dDۿCt?$YZ:g_+{7 rEާPZIR"9oũp-pKiP:ƶ{w8jiN9{GlNڢ-]nĖ3f9\)LhsyX#%dBM[@b%h4eW:BzcxZ R̄0}]9 EuX.eHUk+tt,Z؍NڰqE2UdP(sX6 }a>dٚIdx邟!f$@Y&D#Y?KTɦ)jc݁tGش,X 8&Eeb0!\EKG|P; ,eA9e&"[Cޖ hJ.|F}Ws}M\woI$Ui?y:yrh>(ߗ5XCc*_A3] HrЂ(b$IA% (@דhK˳"&ֽon[b+2H*Mɬ\2&^_cA`5@1]JZhe " ? ~f^Ʈt@ƾ&)ul:g65N hHJW8(}r?. c +u&AߚrAAPޔ*N /( ( L }%:X?rCûp#V$ݓ"G!$|T*)YL:x#9 u߶L1HT@YPQ"0_y87o |8׶<2ٱk:( eݣsI\K%eZ,}+4e_I~cJ}mc'V`$vh*%MtLԢ좝e[tCyu[5vl-e :4H6ECIAzdExzki/o 3,ϿnFf<@>;Z߃^X0s۾_/;A' (؟ÛA(Gtf:tBsg[t_f=,4WQCaEe&rn^XA)tφ?P\s1 BtSzM\BūL9ȷ \/Zë21FZ;S*~ d6Fa {rgiQ;,mIjvg u΅d=I_I}ՏGP ,Ñ@t}œ3QGzq2[2-~q7-͝~KechT"|Qn){Z}Oln#|V R<98Ȋv u  sTtq'iuԷR^0@~PAfXtvD)xߣݘ-Y?̠#䷿P'mdɷەQV^{c`2UȏBT%|_zB~f뇺~] jqd<8&ɤQ^ B8j -kVVq8iI.*d7/w|d0Uňk)G>ş;Z/G ^b+>]L5,XmÈ>O2C[ s;яTmS_#C75s~J(a?5v1h=(CZP"Z]’{U}Is9bNl@`b('&lZO/q/t1 qy%bg@FPxIYL3^z0sϙTh/ZNtUDkژcΩѝZMWWs.KBCr/ZdI+4/ c|ŻRO&SJ9椷 O=#Ԕ;X| pU% * PZp?Pcizn`uD`E,*~5BY|V`]?.ur34<&¹ NACO &ڣ{z^Nzp4*pejUtKDL 2@s87>?_IN1% =a kE$7ǃ2F$%xLg a9=g3bv "벡1^|Zq|u/#@ l!1g昱OiX$_uR𶸻@P"ѫXJց&J'eI d7  c Q@Ԕ57+I8|kvK .h`tA@"\2Gyan2?y go= 1YG7Ck5EYG71`p0'?v`!us\fHԎG$%Ѕ8h,-@"!9͉ Kk} 7úޛZF à!q3&+z+uT/J]WP)9C KTU:j|&Oa@eyͬf+ǯD\hiJdR. ?h$@쌆=(d2=jRcgrһ"-rrǣUr]Y;a]+ |mUszǽ'݋UbPhX>|%\Aw/|veQk֣]@miq@q1FQg xuw)4#Jy[g@g9 CNkN_O?nr{IGJOoڝcH?^~9{hקv nsҡ}ݜ}{CI ק05ss{sy~Ρ9?<ϡsD'H~ 9䤟CyN:E^\E@rOK/G\}\%)sC?}?}?A \c}}OyпO9kHKΡk:kKu3Az+Zpzz=29IG9R+_~K%IN>ȳ9+f/^sTh*௟U}dlڽ< qʕ8{^Syڙ閽VqLeM9PKG{2Ph +[y@ⅇU4:,)X96Ffm\v3k]ѕCAf_b 5q?'OtVfw 4;) v![ИrY֢@zEk[Nhj'܌3X;k7@\]Άљ%daCeY)N(Ѱ~P+"D794\9):s wEm }:gl*(4f!2^46T@φMܙ+Y&|f+g -tV rߢR'B~22VHg'Շ7r{Hτ[TY׿S%/uLt;1*(z@`:~ kn7\;aKƘS DMKIEYHrrh9${5z(V 1>r^aB0Hǻc0i;owҿ@Mx EÄIRg^#%&a"e'xIX7L.F{E3, 6 郇rIB+.Ġ/>'GTWBMxYU7gM&GД0ᯘSV#E j u/ MF^kυ xspk f}1d+%/N (Z<@SĠ#)be _4Uﵰtѷd9Hz&zU x$.6="QDwΆl'O$u޺k:PBΥRuLխVU^7!u`/ă_| Њg/tg˜5wo@AikA/?H3۱x쥭%mY $v.}xF˒5\NT~7)VXwц|6(6؋|!K' Ͽaޥ\hPh6L`>N3".YXxٲq9cbZ)qmGfdӧZW5Z@5E`w[xozc<ZAn% {Lִ/>$(+nNvGT'7>U'ه|4h~ḿ Xu#(_ђkPF-H_hFq: I ڔ?d|E#bSp.@PM5f2R8WĻ ^)۱Yj%xd휙m9~Sg _(LOWt<Xy@t-] Epymӕ/y9" #LRe|_Q.5 7tle @J]m >m7300}Xc 0,*0%95-E6<:=܈x~;ݾA k3Hex.Xݫ$mہQ#nȹȰ-`jkDmYtẁA<۶w&׶Tdؖ׶< Xè+vf$Ѿs,a|X oV|޸+no=Ȉe6]g0^O60Nm+L,,H[Ze']ZD.hrE"O ر~ mj #fY [Rjt" 1>f@xH>%7mAb ;k[=)>-c׻gqO<U .VSF`yeb x ؚտHR#I|Ð!g̯h=5nBM]ga+gPXhc 1GxY W[OPQE6:| ,݈bZ"NDJ i)99N*JH6c?rCft*$@˭ō]Ng"a7:#/ah#gyb3S2w$Ywf @ȟ$#}E.4ʢ8b/Xqө8Y%:KcAs<] yw$oꎾZ;~v?;LJvˌRXi*.I;ǽUFnԣWm)h#/S$DU B|v{>/7 k~s'Wh< xWy *F ϖg Uj;IhdMn+cSEᘸe-WFs>{l~ )#Us̹D/TR_JC\qrx6 }TbrȬ,웰qgf†[Hx.b&;fղf\v)