[Dailydave] I love PKI :) (was Some Propaganda.)
ergosum
ergosum at neurosecurity.com
Thu Nov 16 22:22:59 Local tim 2006
> Just to make it clear - I don't think that enforcing the use of digital
> signatures on all executables is an effective way to *block* malicious
> code execution. That would never work in 100%, as there is always a
> possibility to find a bug (in a signed application) and exploit it, not
> to mention that anybody could buy a signature and sign his or her
> malicious code with it.
>
Not only the implementation might be flawed, but the algorithm itself can be
flawed. Just remember the recent md5 collisions
(http://www.stachliu.com/research_collisions.html) (which btw permited the
creation of custom binaries with the same signature as the original non
modified bin) or sha0 and sha1 (http://www.cryptography.com/cnews/hash.html)
collisions.
Cheers
--
http://www.neurosecurity.com
"We must be the change we wish to see in the world"
Mahatma Gandhi
More information about the Dailydave
mailing list