Signed code: Security or censorship?

Depending on Microsoft's approach, code signing could not only secure the desktop, but the software giant's control over it as well

A push by Microsoft to secure each program that runs on its next-generation PC operating system could easily be used to tighten its control over software developers, warned security experts last week.

Several reports claimed that Microsoft plans to secure the code of its next-generation consumer operating system, codenamed Whistler, with digital signatures in an effort to prevent viruses and Trojan horses.

Known as code signing, the technique links a software developer's name with a program or Internet applet using digital signatures. The code cannot be changed without destroying the signature, giving users a way to link a company with a program. If something goes wrong, the user will know whom to blame.

Yet the technique could also give Microsoft a way to regulate the code that's allowed to run on the consumer desktop, said Bruce Schneier, chief technology officer of security service provider Counterpane Internet Security.

"It certainly consolidates power," he said.

While Schneier believes code signing, if done right -- "a big if", he said -- could better secure the desktop, the control over the issuance of digital signatures for software developers should be a concern.

Currently, Microsoft uses code signing on several Windows platforms to verify ActiveX components downloaded from the Internet -- also called Authenticode -- and drivers.

For drivers, code is signed by Microsoft's Windows Hardware Quality Labs after it has passed a battery of compatibility tests. For ActiveX components, the digital signature can be issued by a third party, such as VeriSign, under strict guidelines by Microsoft. Both methods insure that the user knows whose software is being installed on their system.

Depending on which method becomes more common for programs in the future, Microsoft will exert little, or a lot, of control.

Steven Bellovin, a research fellow at AT&T Labs Research in Florham Park, NJ, wonders if Microsoft might revoke a rival's signature in the future.

"Remember, the Instant Messenger war between Microsoft and AOL?" he said. "Now, suppose that the tables were reversed, that Microsoft had a service that it didn't want AOL to access. Could they revoke AOL's certificate? Would that be legal?"

Steve Lipner, manager of the Microsoft Security Response Centre, says no -- at least to the first question.

Lipner points to the Authenticode process as the way of the future. "Look at the Authenticode mechanism as a sort of model," he said. "Anyone can build Authenticode signed code, and anyone can be certified by a third party." As long as the third party does its job and verifies the developers' information, Microsoft is satisfied.

But, for the smallest developers, just getting a signature could be a problem.

While confirming that VeriSign can issue an Authenticode digital ID to anyone who meets certain criteria, Bob Pratt, director of product marketing for VeriSign said that today, many small, independent software developers cannot get one.

The reason: in issuing the digital certificate -- later used for signing code -- VeriSign must insure that the developer's name and address are true. For small developers and individuals, that's difficult and expensive.

"We originally had issued a Class Two developer ID [for smaller developers]," Pratt said. "But there really isn't a market." Verifying a small software developer's information takes more effort than for a well-established company. That means VeriSign charged smaller developers more for an Authenticode digital ID.

Yet, Pratt, who confirmed that Whistler will have an option to only accept signed code, believed that if consumers demanded more security, a market could open up for digital IDs for smaller developers.

Code signing has a lot of security issues as well, said Bellovin.

Bellovin agrees that code signing schemes like Microsoft's could lead to users knowing from where their applications came and prevent a malicious program from replacing existing applications with Trojan horses.

However, code signing is not the same as protection, he said. "Signing does not protect you if you've made an error in judgment about whom to trust."

Virus writers could still sign their code and cause it to execute as soon as you install another piece of software, he said. To the user, it would seem that the software they just installed caused the problem.

In addition, users not only have to trust a company's honesty but their corporate security as well. "What if they have been hacked and someone has planted something in their [software]?" he said.

Just last month, Microsoft found that a hacker had accessed their own internal network and may have had access to source code currently under development.

Finally, the operating system itself has to be secure, said Bellovin. "Something like Windows 98 can't [be secure], since any program can write anything," he said. "Windows NT and Windows 2000 are, in theory, capable of such things, but have to be configured properly."

While a network administrator at a company may be able to configure a system securely, Bellovin doubts most users will be able to.

"In a world of butterfly ballots, people have learned that the human interface can be vitally important," he said.

Take me to ZDNet Enterprise

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.