J
Jim
Perhaps I am missing something about certificates but they seem
useless for identifying clients. I know I can create and issue unique
certificates to each of my clients but they seem to be as easy to
steal as info from an INI file or data from the registry. Even if a
customer logs in with a non-administrator account, most likely, if
they install a trojan, it will be running under that same login
account. That trojan can then programmatically export the certificate
and send it to the attacker. Am I missing something?
I did have an interesting idea for a security feature for Windows. I
have no illusions that Microsoft will listen to this idea but I still
feel the need to state it out loud. Windows XP and Windows 2003
already have features that calculate a signature (hash) for a program
to guarantee the program has not been tampered with. I wish the OS
provided a way to create a private store linked to that signature.
The OS would guarantee that only that program/DLL can access the
contents of the private store. The Administrator login would have the
rights to delete the store but not to access its contents.
With such a feature, you could create a small app that can establish
an SSL connection to a backend server. Over that connection you could
send the customer a serial number or even a certificate which is
guaranteed only accessible on that machine by that program. That
private data could be used in password calculations. If the customer
wants to use another computer, they would have to run the Registration
process there also which would transfer the same serial number over an
SSL connection.
Any ideas where I can post this suggestion so that Microsoft can
ignore me?
useless for identifying clients. I know I can create and issue unique
certificates to each of my clients but they seem to be as easy to
steal as info from an INI file or data from the registry. Even if a
customer logs in with a non-administrator account, most likely, if
they install a trojan, it will be running under that same login
account. That trojan can then programmatically export the certificate
and send it to the attacker. Am I missing something?
I did have an interesting idea for a security feature for Windows. I
have no illusions that Microsoft will listen to this idea but I still
feel the need to state it out loud. Windows XP and Windows 2003
already have features that calculate a signature (hash) for a program
to guarantee the program has not been tampered with. I wish the OS
provided a way to create a private store linked to that signature.
The OS would guarantee that only that program/DLL can access the
contents of the private store. The Administrator login would have the
rights to delete the store but not to access its contents.
With such a feature, you could create a small app that can establish
an SSL connection to a backend server. Over that connection you could
send the customer a serial number or even a certificate which is
guaranteed only accessible on that machine by that program. That
private data could be used in password calculations. If the customer
wants to use another computer, they would have to run the Registration
process there also which would transfer the same serial number over an
SSL connection.
Any ideas where I can post this suggestion so that Microsoft can
ignore me?