Signing/certifying applications and application security: I just don't get it

Thursday, February 3. 2005

Signing/certifying applications and application security: I just don't get it

I just don't get: so many times, digitally signing/"certifying" applications is presented as the solution to application security issues. But what does digitally signing applications have to do with application security? Nothing, it seems to me, as it only proves that the application was signed by a certain entity. It makes absolutely no point about any security implemented in the application. Digitally signing an application doesn't mean auditing it. It would be way to much work to code-audit every single application that is about to be signed and published, and still wouldn't actually prove security. So what is the point of digitally signing applications, except for triggering a false sense of security in the lay-user? Or am I just too stupid to get the whole concept?

Posted by admin in General at 07:40 | Comments (2) | Trackbacks (0)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

You know too much to simply accept industry buzzwords. Signing applications does not say anything about application security, it's just a mechanism to prevent free software to be distributed.

#1 mihi on 2005-02-03 09:07 (Reply)

Well, it's not totally pointless. A signed application assures you that what you're installing is what the publisher published.

The class of attacks it defends against is something like a haxx0red Debian mirror compromising all the boxes that dist-upgrade from it, a worthy (and, AFAIK, unimplemented) goal.

Assuming a full-fledged PKI (which I think is behind Authenticode and all the other schemes pushed by M$, Sun etc), the registration authority would also provide some assurance that the real-life entity stated as the publisher exists somewhere and can be made accountable (which is a nice dream, given the usual "it's not our fault if this kills you"-EULAs and the cost of international law suits).

All in all, I think signed packages are a necessity in today's world of digital software distribution, but of course they cover only a small part of the overall threat model for software operating in an Internet environment.

#2 Thomas Themel on 2005-02-03 18:11 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. You can use [geshi lang=lang_name [,ln={y\|n}]][/geshi] tags to embed source code snippets. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry