Neil Turner's Blog

Blogging about technology and randomness since 2002

Could VeriSign stop spyware?

Ben Edelman explains how VeriSign could stop drive-by spyware. Most ‘drive-by’ spyware installs using ActiveX in Internet Explorer, however, all ActiveX controls need to be digitally signed for IE to allow them to be installed. As Ed Bott mentions, around 95% of digital certificates are issued by VeriSign, and to use the certificates for spyware-related activity is against their terms of usage.
Therefore, if VeriSign were to reject suspicious applications for digital certificates, and revoke certificates being used improperly, much of the spyware out there right now would be severely crippled. While MS has made lots of improvements to the ActiveX installation prompts it is still possible to use social engineering to get users to install parasitic components – this would stop the dialogs from even appearing. And not everyone can use Windows XP SP2.
Ed has listed contact details of some senior people at VeriSign that you can contact in the hope that they may consider enforcing their terms of usage. This could potentially prevent a lot of spyware from getting installed without users realising.
On a related note, when are we going to have ‘signed’ extensions for Firefox?

One Comment

  1. There was a thread on the mozdev project_owners list a while back about signed xpis, I wasn’ taking much notice as I don’t generate xpis for my project. As far as I understand Mozilla extensions can already be signed but a) it’s a pain and b) you need to buy a certificate. Somebody do correct me if I’m wrong.
    As for requiring extensions to be signed, thats a different matter – making people pay for certificates for their code feels very much against the open source ethos. There is of course cacert, but can you imagine the policy discussions which they’d have to go through to get cacert recognised?