News from PANUG  March 22, 2001
http://www.panug.org
info@panug.org

REPORT FROM BRAINSHARE

Bruce Yatvin has been turning in daily reports from Brainshare
in Salt Lake City. If your interest in is the future of Novell or its
products, tune in to Bruce's commentary at:
http://www.panug.org/articles/index.htm


MICROSOFT DIGITAL CERTIFICATES
by Ed Sawicki

MSNBC has announced that an attacker has obtained a digital
certificate from Verisign that has Microsoft's identity and
authority. This means that hostile programs, such as Active-X
controls, may claim to be from Microsoft and have the
certificate to prove it.

To protect against this in your web browser, for example, you
need to reconfigure your web browser to no longer accept
Microsoft-signed certificates without prompting you. Of course,
what happens when your web browser does ask you whether
you want to accept web page content that has a Microsoft
certificate?

Remember that Active-X controls run at kernel level. They can
do whatever they want to your machine. This is why Java applets
have always been the better choice for active web page content.
Java has its "sandbox" to protect your machine from a hostile
Java applet. Active-X has no protection other than digital
certificates. Todays news now neuters any argument about
the benefits of digital certificate protection.

The false certificate was issued by Verisign! You may recall that
Verisign is the same company that was at least partly responsible
for the theft of some huge number of stolen credit cards (millions)
from Internet sites over the past few months. I think Verisign calls
themselves "The Internet Trust Company". If so, this term
is quickly becoming oxymoronic.

For the story, look here:

http://www.msnbc.com/news/548228.asp