Re: https and certificates?
> IMHO this method has no advantages over
> good old HTTPS connection and personal
> Using Apache's mod_ssl with
> ExportCertData enabled, you can even do
> deeper checks of the certificate in your
> server-side scripts or use information
> contained therein for script-side
> authentification (see FakeBasicAuth
> option of mod_ssl).
personally, I think the biggest risk on the Net today is simple surfing: user may be browsing what is normally a reliable site but clicks on a link that interests him and this link could very easily lead into the back alley where the RATS live.
The site the user came from is most likely well intentioned. but the character of the destination may have changes either by revisions made by the web authors or by some kind of DNS spoofing
which is why it is critical to establish and enforce the simple rule No Signature: No Execute as far as anything executable goes.
Hopefully we can prevent the RAT from getting his signature approved by the Certificate Authority but we should discuss auditing of software distributions separately. For starters we kill all un-authorized executables on the spot.
To win we must beat the RAT and we must beat him by a complete shut-out.
Which means: No Signature: No Execute.
Once that has been done on the communication link finishing the issue will require some kind of auditing for software that we do allow to be distributed.
One other thing too: and that is about Certificate Authorities: we will have to insist that everyone appear in person with identification at the Certificate Authority or at an authorized agent thereof such as a Credit Union, Office Max etc. in order to obtain the public key for the Certificate Authority and to register personal public key.
PoC Mike Acker