However, large corporations are not the only entities empowered to install "trusted" code. In fact browsers, such as Firefox, Chrome, and Internet Explorer, maintain a list of trusted certificates, any one of which will suffice to install certified code on any windows PC, unattended. The pop-up box is obligatory, not intrinsically required.
Conscientious programmers have noted that whenever a browser is updated, manually entered exclusions, (such as "No Malaysian RSA authorized software at all,") are clobbered, or over-written.
One solution to this, for security obligated employers, is to employ Open Source's freedom to modify, to insert a pop-up alert, or "nag," EVERY time any RSA cert is invoked.
The purpose of such an alert, would be to denote that ANY software was installing unattended. Every virus writer drools over the idea, and nation-states that promote A.P.T.'s or turn a blind eye to abuse, are very capable of compromising their own RSA certificate(s,) for nefarious purposes. As with Hitchcock's classic "Strangers on a Train," the bad actors need not incriminate themselves, if they are appropriately sophisticated.
Despite the allure of this solution, it requires some understanding of Certificates, on the part of the end user. It used to be commonplace, for a legitimate Certificate to be flagged for error, due to date/time stamp inaccuracies in the BIOS of the end user's machine.
No comments:
Post a Comment