HomeBlogscarneeki's blog

Microsoft application white listing is unnecessary

Submitted by carneeki on Thu, 10/22/2009 - 09:48

User education is better than implementing a potentially anti-competitive system within software.

This came to me by way of Eddie from VK2BV - Waverley Amateur Radio Society. I'm waiting to get Eddie's permission to quote his original email.

He mentioned SC Magazine's recent article on Microsoft whitelisting applications. I have to disagree with Munir Kotadia, the author that a whitelist of applications should be used.

My reply is as follows:

Although white listing is a great idea, it could be seen as an anticompetitive move on Microsoft's part if only approved software can be installed on a user's computer. It raises interesting questions like, how would a small firm actually get onto the list of approved software?

An option that is already in use right now is certificate signing. It's simply a matter of education. Currently software can be signed by the author. This is evident when, on say XP or Vista the installer has a popup asking you if you trust the certificate, and who signed the certificate.

Let's have a *very* quick lesson on certificates.

You have a list of organisations called CA ("Certificate Authority"). You know them as companies like Thawte, GoDaddy, VeriSign et al. They're a list of companies that are trusted by the general public to issue certificates to customers they trust - people who write software. A developer will send their own certificate to a CA, then CA will digitally sign the certificate as being approved. With this trusted certificate, they will then be able to certify their software, which the Windows Installer will ask if you trust when you go to install it.

Sounds great! So where's the problem?

Well, there's two problems:

  1. Anybody can become their own CA and sign their own certificates. It's kind of like saying "Hi, I'm Joe, give your money to me. This bank (Joe's National Bank) says I'm good for it." and users will trust it because it appears legitimate (Joe's National Bank - it looks safe, they're a bank!). The act of signing it makes it seem legitimate, even though it might not be. User's should trust certificates only if they've been signed by one of the major Certificate Authorities.

    Web browsers have a list of Certificate Authorities that can be trusted. If it's self-signed, it will tell you that it's signed by an unrecognised CA. Windows Installer really just needs to do the same thing.

  2. The second problem is not all software has to be installed using Windows Installer. MSI packages are a great way to install software, but, most bodgey software will almost undoubtedly not use MSI. This means that all the great certificate stuff is moot because the kinds of user's infected by this kind of spyware do not think "Why aren't they using a trusted method to install software?"

    You don't even get to the certification stage because their own installer doesn't check. Windows will simply ask you "do you trust this software to run?" and then installs.

By educating users on a simple lesson: You should only run software they trust, and they should only install software through trusted channels, the antivirus, spyware and anti- spyware industries would be only a fraction of the size they are today.

By the same token, tech support would also be a much happier place to work!

73 VK2JSI..