Is it actually possible for everyone to sign their executables? Last time I did it, I had to fork over something like $250/yr for a signing key along with providing copies of various documents. This seems a little high for someone who just, say, wants to make free utilities available to the world.
In the case of Firefox, one would think it would be possible for you guys to do something about it on your end, because you're the ones who added this reputation system that's causing users grief. Record known-good SHA or MD5 sums of unsigned apps like Firefox that you know are okay, for example. Or just not default this feature on.
So, I also worked on this team (and am good friends with mjard). At some point there was a big decision made to heavily bias the engine against "unknown" executables. I said it was a bad idea then, and I still think it is now. The only way it can "know" about an executable is via its source, or its signature, or if it is on other users machines. This creates the obvious huge problem for "the little guy" distributing software. They actually think this is no big deal, and when it steps on toes, the distributor can just use their dispute system and eventually they will fix it. And if you don't like it, you can just get your software signed. I was of the opinion that this was bad behavior and unreasonable. They really liked what it did for review scores (surprise, we detect everything!). I lost.
Create a harmless helloworld.exe and put it on a random website. Download and run it. If things haven't changed since I left, it will get flagged as malware.
What I can say is that this has nothing to do with trying to crush the little guy or malice. With some exceptions, there is a general attitude there of not caring, or caring about the wrong things. Hanlon's Razor a little bit.
> Is it actually possible for everyone to sign their executables? Last time I did it, I had to fork over something like $250/yr for a signing key along with providing copies of various documents. This seems a little high for someone who just, say, wants to make free utilities available to the world.
No, it's not. If you sell programs, then forking over the $250 a year makes sense. If you give away programs, well, is it a loss if a user is scared off? (Serious question)
> In the case of Firefox, one would think it would be possible for you guys to do something about it on your end.
In the end, this is what we did. But it is impossible to do this for everybody.
> because you're the ones who added this reputation system that's causing users grief.
Oh boy. We did keep stats on this. Files that the reputation system scored to be "bad" and were later vetted. All in all, the reputation system works really well. There are some false positives and those do cause grief, but a majority of the time, the system blocks legitimately bad software.
It's "easy" to build a program with the same length and md5 code than another program. The md5 hash is useful as a protection against accidental collision, but it is not secure enough as a protection against an attack.
http://en.wikipedia.org/wiki/MD5#Collision_vulnerabilities
The fact, that MD5 is broken has nothing to do with building database of known-good binaries, because anyone would just use some other hash.
And also, current practical attacks on MD5 (and also on MD4) can be used to find two different strings with same digest (which is not so useful in this case), not string with same digest as some other predetermined string. For this to be exploitable, same organization would have to create two binaries, one trustworthy and one not. There is no reason to do that, as such code is mostly deemed trustworthy on the basis of who published it, not what it does.
In the case of Firefox, one would think it would be possible for you guys to do something about it on your end, because you're the ones who added this reputation system that's causing users grief. Record known-good SHA or MD5 sums of unsigned apps like Firefox that you know are okay, for example. Or just not default this feature on.