In message
<200005050123(_dot_)VAA09369(_at_)astro(_dot_)cs(_dot_)utk(_dot_)edu>, Keith
Moore writes:
note that it takes a nontrivial user interface to communicate this to
a recipient of email: e.g.
NOTE: this message was signed by someone purporting to be
Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu>. The signature is validated
by a certificate from Fly-By-Night Certificate Authority, Inc.
Fly-By-Night's certificate verifies correctly according to
another certificate from FemtoSoft corporation that was supplied
with your email reader, but you have not personally placed trust
in FemtoSoft.
Therefore the authenticity of the claimed sender cannot be verified.
and yet this is basically what it takes to do the job.
there's no way you should ever just "click" on an arbitrary
attachment regardless of content, expect that content to
be evaluated, and still expect it to not cause harm.
Of course, today's particular piece of malware told users to click 'Yes' to
install the necessary ActiveX control...
As for certifictes -- has anyone else done a Windows 98 update in the last two
weeks, and examined the certificate? It seems that Microsoft's update
certificate expired on 16 April without them noticing... Nor is the first
time this has happened to Microsoft; a year ago, I sent in postings to RISKS
Digest noting that both they and Netscape were shipping updates via expired
certificates. And I'd notified Microsoft about a year before that of yet
another such incident. (I was told that the expiration date didn't matter,
since the certificate was valid at the time the code was signed. Of course,
how am I supposed to know that? Maybe whatever hypothetical being compromised
their expired -- and hence "worthless" -- private key set the date back on his/
her computer before signing a more subtle piece of malicious code.)
--Steve Bellovin