Re: Driver package signing
Pete Batard <pete <at> akeo.ie>
2012-04-13 10:32:29 GMT
On 2012.04.13 00:53, Xiaofan Chen wrote:
> On Thu, Apr 12, 2012 at 11:55 PM, Pete Batard<pete <at> akeo.ie> wrote:
>> On 2012.04.12 14:23, Xiaofan Chen wrote:
>>> On Thu, Apr 12, 2012 at 8:42 PM, Pete Batard<pete <at> akeo.ie> wrote:
>>>> On 2012.04.12 12:50, Xiaofan Chen wrote:
>>>>> However, I still have reservation myself on using libwdi to deploy
>>>>> the driver to end users (without them knowing it).
>>>> If you do, then I don't think you understand what libwdi does when it
>>>> installs a driver package, and why revocation shouldn't matter.
>>> Let's just say we are very different people when it comes to the
>>> perception about the world and I respectfully disagree with your
>>> points about CA and about the libwdi approach.
>>> And in reality you can try to go to the OSR list and convince
>>> the driver experts there that your approach in libwdi is better.
>> Maybe I'll do that, knowing that the only issue to be considered is the
>> trustworthiness of a driver package that is generated and signed by a
>> 100% open source application, which, in the case of the Zadig installer,
>> is also digitally signed by (hopefully) a trustworthy CA.
>> Yeah, if I wanted to, I could introduce malicious code there, just like,
>> if I wanted to, I could get a valid CA certificate to do produce a
>> malicious driver package.
> That is the whole problem. And not only you could do that, someone
> know how to use libwdi can do that as well.
Yeah, just like anyone who the end-user lets run an application in
elevated mode can do that.
Let me repeat that for you, because I don't think you understand the
concept of trust:
- As soon as you run an application as elevated, it's game over,
regardless of whether the application installs a certificate or not. It
doesn't matter whether someone knows how to use libwdi or not: if the
user trusted them to run as elevated and the app is malicious, then the
user is screwed. And the only way a libwdi app can install certs is if
it runs elevated.
- This is why you are supposed to establish trust before you run an app
that runs elevated, and this is why the official libwdi apps just don't
go around asking the user: "Self-signed by Pete Batard - trust me!" but
instead "Signed with a developer certificate issued by a *known* CA to
Pete Batard, who did verify that the person is who they say they are and
will revoke trust if required".
- Thus, when an official libwdi application installs certificate, you
have already a chain of trust that is as good as the one you'd install
with a driver package signed using an certificate from GlobalSign or
another CA (GlobalSign themselves don't "sign" things - see below). That
is unless you want to consider that because it is less well known CA,
Certum is not as trustworthy as Verisign or GlobalSign, which is ridiculous.
> I believe the chances of someone creating a libwdi based driver
> installer with malicious code is actually higher.
Not at all, for the simple LOGICAL reason that to use libwdi to do
something malicious in that respect you must get the user to run your
app as elevated. You can't install certs otherwise. And if the user did
that, there's really no point bothering with certs - you're already
running code that you devised (since, because of the trust chain from
official libwdi apps, it obviously was not signed by the original libwdi
developer) and that run elevated. Why then would you bother installing a
certificate, that sees its private key discarded, to run more elevated code?
You're basically saying that someone would break into a bank vault to
change the lock, so that they can access the vault later on. Apart from
Hollywood, such a scenario makes no sense: if your goal is trusted
elevated access, which would be the one you seek from installing
malicious certs, and you plan to somehow reuse libwdi for that, then by
the time you get the self-signed cert installed, you're already elevated
so it's already game over.
> With the libwdi
> apporach, the end user may not know if the driver packages
> are hacked or not and if hacked do not know who generates
> the hacked package...
If they have been hacked, then the hack came from a non-official
malicious libwdi app that run in elevated mode. If that's the case, the
hacking of a driver package is really the least of your problems...
> With a CA cert, there is a reasonable confidence that the
> signer is indeed the signer.
And with an official libwdi app, there is EQUAL reasonable confidence
that the certificates installed are not malicious, because the app was
signed using a certificate issued by a CA cert.
> And to be very blunt, if you ask people out there, do they trust a
> guy named Pete Batard more or GlobalSign more?
Well, let me be blunt then: This statement clearly shows a complete lack
of understanding of how trust works.
First of all, Globalsign only issue *individual* certificates, so when
you sign an app or a driver package, you don't get "Signed by
GlobalSign", but instead "Signed by X, who was vetted by GlobalSign when
the certificate was issued"... exactly the same as what you get when you
run an official libwdi application such as Zadig, and for pretty much
the same purpose: confirm that data (driver package or app) that was
created by person X was not tampered further down the line.
So your question *actually* is: "Do they trust a guy named Pete Batard,
vetted by GlobalSign or some other guy vetted by GlobalSign?"
You have to realize that GlobalSign are not behind you when you sign
anything, so it's not because something bears the stamp of a certificate
issued by a known CA (which is also the case of Zadig), that it's more
trustworthy than another.
Therefore I can only assume that you still don't understand what libwdi
does when it comes to certificate installation, and you somehow are
under the assumption that it installs self-signed certificates that bear
the name of a single individual or something.
Maybe a diagram will help. To make it even more explicit, I will pretend
that the developer signing certificate I got is from GlobalSign instead
of Certum, since it doesn't matter one bit.
Official libwdi chain of trust:
+ <----- "Trusted" by GlobalSign (dev cert issued by GlobalSign)
Zadig (in elevated mode): installation of one-time only self signed
certificates, with a private key that cannot be reused
certificate in the Windows cert store
driver package installation, signed with the one-time private key above
Driver package signed by GlobalSign chain of trust:
root certificate from GlobalSign in the Windows cert store
+ <------ "Trusted by GlobalSign
developer cert issued by GlobalSign
driver package installation, signed with the end user private key
matching the end user cert issued by GlobalSign.
In both case, you end up with the same level of trust, because it's no
more difficult to obtain a cert from GlobalSign to create a malicious
libwdi app than to obtain one to create a malicious driver package.
The whole concept of a trust chain is based on the prospect that trust
is a transitive property. As such, what an official (signed) libwdi app
does with regards to driver package installation is no less trustworthy
than using a driver package that was signed using a certificate that was
issued by GlobalSign. And in either case, you end up with a GlobalSign
issued certificate at the end of your chain of trust.
> All in all, Let's just say we are very different people when it comes
> to the perception about the world and I respectfully disagree with
> your points about CA and about the libwdi approach.
Except those are not points. Those are facts, which you refuse to
acknowledge as such, and very damagingly so.
> You can have further discussions in the OSR list. Please do not
> post to this libusb-win32 thread any more and I think people
> are bored of this kind of ideology discussion.
Feel free to delete this post all you want and consider the thread
closed. It doesn't change facts that your considerations about the
security risks are erroneous and that you are spewing damaging nonsense.
If you still see as an ideological matter, then please spend some more
time analysing the whole security concept of the official Zadig app, and
the way it installs certificates. I've done what I could to try to bring
you up to speed with that, but there's only so much I can do if you have
already *decided* that libwdi could not be anything else but less
trustworthy than your preferred choice.
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!