[Cryptography] HP accidentally signs malware, will revoke certificate

Theodore Ts'o tytso at mit.edu
Sat Oct 11 20:38:55 EDT 2014


On Sat, Oct 11, 2014 at 08:28:07PM -0400, Jerry Leichter wrote:
> ... HP would have had to start
> from scratch.  Frankly, it's not clear that what they did makes a
> whole load of sense.  Since signatures are only checked during
> installation, they haven't done anything at all to protect customers
> who already installed the malware - and it's been out there for
> quite some time.

Ah, I didn't realize that they didn't catch they had signed the
malware for a long period of time.  You're right though, having an
SSRL only stops new installations of the malware.  I was thinking of
the sort of "packagekit" situation where you might send someone
software with a particular MIME type that automatically trigges an
offer to download software to handle that MIME type, where you might
really want to block new installations of said malware.

> That would be a fine idea.  As I pointed out above, the
> closed-source world does this kind of thing.  I suspect it hasn't
> made much headway in the OSS world because many people - especially
> the developers - use OSS exactly because they want the freedom to
> run whatever they want.  The notion that *someone else* - even the
> author of the software - could shut down their ability to do what
> they want on their own box would be anathema to many in the OSS
> community.

This is all in the definition of what it means for a software to be on
the SSRL list.  Does it mean, "you're not allowed to run it" (a DRM
mechanism), or does it mean, "I strongly recommend you stop using this
code; upgrade NOW"?  One could imagine that if the software was
already installed, that on the periodic check, the checker would
display a pop box that printed some explanatory string that was
included in the SSRL, and then asked the user if they wanted to
continue using the software.

This would be much like the "Danger Will Robisnon" warning which
Chrome pops up when you visit a web site that is on the "is known to
try to download malware" list.  You can still continue on if you
__really__ want to visit that site, but there is a clear explanation
of why it is not a good idea, and what to do if you are the owner of
said web site.  I could imagine a similar dialog box which would
explain how to upgrade the software component, or perhaps offers to
automatically upgrade the software after the user gives permission.

So whether or not this makes headway is all in the UX design, I would
think.

Cheers,

					- Ted


More information about the cryptography mailing list