|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] I love PKI :) (was Some Propaganda.)
From: ergosum (ergosum
neurosecurity.com)
Date: Thu Nov 16 2006 - 16:22:59 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Just to make it clear - I don't think that enforcing the use of digital
> signatures on all executables is an effective way to *block* malicious
> code execution. That would never work in 100%, as there is always a
> possibility to find a bug (in a signed application) and exploit it, not
> to mention that anybody could buy a signature and sign his or her
> malicious code with it.
>
Not only the implementation might be flawed, but the algorithm itself can be
flawed. Just remember the recent md5 collisions
(http://www.stachliu.com/research_collisions.html) (which btw permited the
creation of custom binaries with the same signature as the original non
modified bin) or sha0 and sha1 (http://www.cryptography.com/cnews/hash.html)
collisions.
Cheers
--
http://www.neurosecurity.com
"We must be the change we wish to see in the world"
Mahatma Gandhi
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]