Im glad that Im still shocked when I find something innovative in its dishonesty, even though it seems to happen every other week in the computer security business. Anti-spyware advocate and researcher Ben Edelman publicized one of these recently in the form of a company that distributed adware signed with a Thawte digital certificate using the company name “CLICK YES TO CONTINUE.”
Security insiders keep an eye on Edelman, a candidate for both law and economics Ph.D. degrees from somewhere called “Harvard.” More than once he has brought interesting secrets of the industry to the forefront. In this case, he may have jumped to a conclusion, depending on what he meant to say.
Please read Edelmans article to see screen grabs of the software and certificates at issue. Verisign revoked the “CLICK YES TO CONTINUE” certificate shortly after Edelman publicized it.
Its Edelmans contention that the examples he provides show that VeriSign is not enforcing the rules they set for recipients of their digital certificates.
The first example is the real eye catcher: Its an ActiveX installer with the company name presented from the certificate being “CLICK YES TO CONTINUE.” The motivation, it would appear, is to trick the drunk and/or stupid user into clicking the Yes button without further scrutiny of the company whose software is being installed. Edelman calls this an “invalid company name.”
What are VeriSigns rules for granting a certificate? If I claim to be Sam.Walton@BeyondTheGrave.com will they grant me a certificate for Wal-Mart Inc.? No. Read VeriSigns Authentication Guide for the list of checks they perform to verify that you are who you claim to be and that you have a right to use that name.
Its not an easy process to scam. Obviously, VeriSign tries to automate as much as possible of the process, but they do have humans involved and such certificates are not cheap. Incidentally, the Edelman examples all involve code-signing certificates, which are peanuts compared to SSL certificates, the overwhelming majority of the certificate market.
And yet VeriSign issued a certificate for “CLICK YES TO CONTINUE.” Thats because, according to Chad Kinzelberg, vice president at VeriSign, its actually a legitimate name for that business. This answer really got me, as Id never considered the possibility, and perhaps Edelman didnt either.
VeriSign goes on to say that as soon as they found out what CLICK YES TO CONTINUE was doing with their certificate it was revoked for violating the terms of the license. The same is true of the other examples Edelman provides. In one of these, Edelman claims that a product name (“VIRUS FREE”) is misleading.
Now, how is VeriSign supposed to know that? Is it really so hard to imagine a legitimate program named “VIRUS FREE”? So unless Edelman expects VeriSign to require certificate customers to clear all uses of certificates through the VeriSign Certificate Police I dont see what he expects them to do proactively.
In such cases all one can expect is that they will revoke the certificate retroactively for violation of the license, for instance if its used for spyware or another product that breaks laws.
The CLICK YES TO CONTINUE example is a little more complicated. Once again, I ask: Is it so hard to imagine a company name “CLICK YES TO CONTINUE”? In retrospect its clear they used it to try to mislead the user, and so it was a violation of the terms of the license, but was it the kind of name that should have been denied at the outset? Im uncomfortable with the idea of VeriSign making such decisions.
I dont have any way to verify VeriSigns claims independently, but they seem reasonable to me. VeriSign is one of those big companies, like Microsoft, that take a lot of abuse, much of it undeserved. But even with such easy targets we need to be reasonable in our criticism.
Editors Note: This article has been modified to remove a claim by Verisign about when they contacted Mr. Edelman that Verisign has withdrawn. For more details, see a follow-up column, “Company Name Police Squad II”.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.