Ben Edelman explains How VeriSign Could Stop Drive-By Downloads. VeriSign, in case you don’t recognize the name, is the company that controls 95% of the digital certificates used on the Internet today. These certificates are passed out like bubble gum cards to any company that has an address and a check (typically between $200 and $600) for the certificate registration fee. When you visit a Web site that wants to install an ActiveX control on your computer to extend the capabilities of Internet Explorer, VeriSign gets involved by displaying information contained in the official record for the company’s digital signature.
There are countless legitimate and ethical companies that use ActiveX technology for good purposes. Unfortunately, there’s also a disproportionately active community of scammers and charlatans intent on exploiting the trust that is implicit in a digital signature. An enormous amount of crapware has been dumped onto countless computers by this latter group, who use ActiveX permission dialog boxes to sucker unwitting users into “agreeing” to install software that they invariably regret later.
If VeriSign chose to enforce its license agreements, it could revoke the certificates of those companies that misuse the trust they inherit through a digital certificate. And without a certificate, virtually all versions of Windows will reject the proposed software cold, without subjecting the user to a misleading prompt. Ben explains:
Through existing software systems, already built into Internet Explorer and already implemented by VeriSign servers, VeriSign has the ability to revoke any certificate it has previously issued, disabling ActiveX installations that use that certificate. See VeriSign’s Certificate Revocation List server (crl.verisign.com) and Microsoft Certificates documentation of the revocation system.
I suggest that VeriSign can and should use its existing certificate revocation system to disable those certificates issued or used in violation of applicable VeriSign rules.
Ben documents three products that clearly violate the VeriSign contract. After presenting the proof, he writes:
Each of these misleading installations is contrary to VeriSign contract, contrary to VeriSign’s duty to its users, and contrary to VeriSign’s many promises of trustworthiness. In the first installer, VeriSign affirmatively certified the “click yes to continue” company name — although it seems that there exists no company by that name, and although that company name is facially misleading as to the purpose of the installation prompt. In the second and third examples, VeriSign certified companies that subsequently used VeriSign’s certification as a necessary step in deceiving users as to the function of and (alleged) need for their programs.
Given VeriSign’s claims (such as its old motto, “the value of trust”), VeriSign should want to put an end to these practices. When VeriSign certificates are issued wrongfully (as in the first example) or are used deceptively (as in the second and third), VeriSign should take action to protect users from being tricked. In particular, when an application offers a facially invalid and misleading company name, VeriSign should refuse to issue the requested certificate. When an applicant violates basic standards of truth-telling and fair dealing, VeriSign should revoke any certificates previously issued to that applicant.
Read Ben’s article. If you think VeriSign should follow through on its responsibility to you and me as users of their digital signature technology, why not give CEO Stratton Sclavos a call at 650-961-7500? If he’s not there, ask for Judy Lin, Executive Vice President, Security Services. (If anyone has a good e-mail address for either of these individuals, let me know and I’ll update this post.) Update: Send your e-mail to stratton@verisign.com.
And spread the link to this post and to Ben’s article. There’s nothing like a little publicity to help big companies like VeriSign understand their responsibilities to their ultimate customers – us.
Ed Bott 