Song of The Day: Fire - Artist: Jimi Hendrix

Well, I indicated a while back that I would post some notes about object signing (specifically for Firefox extensions), so here’s a start. There is a lot of information around the Internet about object signing; however, it still takes a little time to discover, aggregate, and digest it all. Hopefully these blog fascicles will help clarify a few points and technologies for people.

Summary

In the coming entries we’ll walk through the steps of creating “self-signed CA (certificate authority) digital signatures” that can be used by folks for testing purposes. Furthermore, it will show how to create these types of certificates using the NSS, or Network Security Services, certutil and signtool tools. Along with this specific information, there will also be references to related technologies like Authenticode and Java’s javakey.

Object Signing Model

First, let me write a few words about code signing. It’s been around a while, since the late 90’s for browsers, and it is one type of security model for running code. The idea is that an entity, individual or company, “certifies” that the software is from them and, generally, that it is safe to run. Typically, the certification process encompasses a third-party issuer or certificate authority, like Verisign, to strengthen the process and policies. Again, this means that the authorship is verified by a trusted authority and that the signature guarantees that no one else has modified the code except the author.

Sandbox Model

In contrast to another security model, sandboxing, this model attempts to restrict what the software can do. As an analogy, one verifies a door with a key while the other removes doors entirely. Java applets, when unauthenticated, are an example of “sandboxed” restrictions to limit behavior. One such behavior to Java applets is no access to local computer files. Another restriction is that applets cannot connect to hostnames by which they were not downloaded. There are ways around applet sandboxed behavior, but not as a default.

Caveat Emptor

However, it is important to understand that signed software does not verify that the code will run without problems. For example one may download software from a company that is signed and still experience bugs or even rogue-like behavior. Unbelievably, even fraud can surface. See this article for an example that affected Microsoft. Although object signing has its limitations and problems, it is still a powerful model for protecting users and deploying trusted software. People just need to be aware that it complements education, awareness, and other measures of protecting systems.

Next Time

Object Signing: Using NSS (part 2)

Tags: , , ,