Do You Code Sign?

Saqib Ali asks: "I am a regular reader of Bruce Schneier's Blog, Articles, and Books, and I really like what he writes. However I recently read his book titled 'Secret and Lies' and I think he has done some in-justice to the security provided by the 'Code Signing.' On page 163 of his books, he (Bruce Schneier) basically states that: 'Code signing, as it is currently done, sucks.' Even though I think that Code Signing has its flaws, it does provide a fairly good mechanism for increasing security in an organization." What are your thoughts on the current methods of code signing in existence, today? If you feel like Bruce Schneier, how would you fix it? If you feel like Saqib Ali, what have you signed and how well has it worked?

"The following are the reasons that he (Bruce Schneier) gives:

Bruce's Argument #1) Users have no idea how to decide if a particular signer is trusted or not.

My comments: True. However in an organization it is the job of the IT/security dept to make that determination. It shouldn't be left up to users. The IT dept should know not to trust "Snake Oil Corp.", however anything from "Citrix Corp" should be fairly safe. Moreover Windows XP SP2 provides provides a mechanism to create a Whitelist of certain trusted signers, and reject everything else. This is a very powerful security mechanism, and greatly increase the security in a corporate environment, if the workstations are properly configured. Having said that, this feature may not be that useful for home user, who can not tell the difference between Snake Oil and Citrix Corp.

Bruce's Argument #2) Just because a component is signed doesn't mean that it is safe.

My Comments: I fully agree with this. However Code Signing was never intended for this purpose. Code signing was design to prove the authenticity and integrity of the code. It was never designed to certify that the piece is also securely written.

Bruce's Argument #3) Just because two component are individually signed does not mean that using them together is safe; lots of accidental harmful interactions can be exploited.

My comment: Again Code Signing was was never designed to accomplish this.

Bruce's Argument #4) "safe" is not all-or-nothing thing; there are degrees of safety.

My comment: I agree with this statement.

Bruce's Argument #5) The fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attack could delete or modify the signature during the attack, or simple reformat the drive where the signature is stored.

My comments: I am not sure what this statement means. I think this type of attack is outside the realm of Code Signing. 'It is like saying host based IDs or anti-virus are useless, because if you can compromise the system you can turn them off.'

I would really appreciate any comments / thoughts / feedback on the above mentioned Bruce's arguments and my commentary. I am planning to give a short talk about benefits of code signing, so any feedback will really help me."

Good comments

[Jaborandy]

You make some good arguments. Code signing is not a panacea, but it does add value. saying it sucks because it doesn't solve world hunger is a worthless criticism of a good technology.

I would add that "always trust X" is not appropriate for home users, and it is good that MS makes the unchecked state the default. I don't recall MS telling me to always trust MS, and if they do, I would want to give them feedback about that wording.

The "always truxt X" feature is best used by domain admins who can pre-approve stuff for their users. It's even better if they can resign the code themselves with a cert on the approved list.

--Jaborandy

Do you code write?

[Evro]

When used in this context, "code sign" doesn't make sense... shouldn't it be "Do you sign your code?" Or if it's intended as a new phrase, maybe it should be "Do you code-sign?"

2 things...

[deviantphil]

1. The book is a few years old (1999 or 2000 IIRC).
2. I believe Bruce is referring to the fact that: yeah....you can say so and so created this code. But that doesn't teel you how trustworthy the person or how well the code was made. So therefore putting too much faith into a "seal" saying that it is signed is a mistake.

Maybe Bruce himself reads /. and will post. I read his blog daily and I know he often posts comments in his own blog.

Re:Why code signing sucks.

[Anonymous Coward]

Then you imported the wrong key, tool. All the packages are signed. There are several different keys, you know. And why would Red Hat be signing Fedora's packages?

Re:"Always trust code from Microsoft"

[owlstead]

You mean like under windows, view a certificate, go to details tab, click edit properties, disable all purposes of this certificate? Something like that?

In firefox you will have to remove 3 ticks instead of one button, but those ticks are way easier to find. Not that anyone knows, but it is possible.

I do.

[stg]

I sign my shareware, simply because WinXP's screen when running signed software is slightly less frightening. I think that is worth the yearly US$100 investment (I didn't do a double-blind test, though - it's just an educated guess).

About Bruce's Argument #1, that is true. However, the idea is that whomever they got their certificate from (Comodo, Thawte, Verisign, etc) will revoke the certificate as soon as they do something against the rules. It will show as revoked if the user is on-line when the screen comes up.

I previously heard about someone's certificate being revoked for wrongdoing. I can't remember any of the details.

If the certificate issuers acted fast on reasonable complaints, it could be a great security enhancer.

As it is, the group that gets the most of it is MS (who gets fees from issuers for being in their OS's root certificate) and the certificate issuers.

Re:"Always trust code from Microsoft"

[bitslinger_42]

In addition to the two points on what you are trusting Microsoft to do, there is a third, even more important, thing that you are trusting. By "trusting" the signed code, you also trusting the chain of certificates involved.

"Huh?" you say? "WTF does that mean?" Most of the time, the certificate that was used to sign the code was also signed by another certificate. This is supposed to establish a chain of trust. In Microsoft's example, their root certificate may be signed by Verisign. The theory is that Verisign is trusted by everybody, and therefore if Verisign signs someone's key, the signed key can also be trusted.

Unfortunately, the theory breaks down. There was a well-publicized instance where Verisign issued a code-signing certificate to someone claiming to be from Microsoft but actually wasn't. When Verisign screws up, or otherwise proves themselves to be not trustworthy, then the end user is left with trying to figure out which "Microsoft" keys are good and which ones aren't. Above and beyond the fact that many users aren't equiped to make those decisions, the vast majority simply don't care.

In a closed-form environment (i.e. inside a company with a PKI in place, physical security on the PKI servers and root key, documented procedures for establishing the identities of the cert requestors, where the apps being signed are for internal use only), code signing, and even chain of trust, mostly works. Once you get out of that tight model, the signature on the code only says "This code was signed by someone claiming to be Microsoft".

Argument #5

[DVega]

" Bruce's Argument #5) The fact that the evidence of attack (the signature on the code) is stored on the computer under attack is mostly useless: The attack could delete or modify the signature during the attack, or simple reformat the drive where the signature is stored.

My comments: I am not sure what this statement means...."

Sometimes "code-signing" is said that even though it does not garantee the safety of a downloaded component, at least you know who to blame if it crash your computer. But, a bad-guy can sign his component, you accept the signature, and then the component can delete all traces of the signature from your computer. So even if you later realize that it was a "bad-component", you have no mean to review the signature.

Who are you anyway?

[samj]

Bruce is right, code signing (at least in its present form) sucks. In fact trust in general sucks, and will until we come up with an intelligent way to assign it. So you want a 'whitelist'? By that you presumably think that the 'whitelist' of CAs rolled out with browsers works? It doesn't. Nor will telling 'safer' to consult it before running code.

Re:Yes, I sign everything

[Ernesto Alvarez]

  That's great you know!

In case there is an imposter Anonymous Coward, finally we've got a way to detect it!

You joke about that, but that's exactly what the authors of "Who wrote Sobig" did. They published anonymously, but put a public key in their text so no other "anonymous coward" could pretend to be them (or he, she or otherwise).

Re:Bruce is right

[Minna Kirai]

Let's say, somebody breaks into a Debian mirror and replaces sshd with a version with a backdoor. If code signing was in place, you could notice it quite easily.

You've got some typos there. The word "if" falsely implies that Debian doesn't already do this. [debian-adm...ration.org] Replace it with "because". Several other words should be changed to past tense.