Digitally signing GIFs, JPEGs, etc.

J

JJ

Everyone know that images embedded in Web pages can contain exploits of all
kinds. Why doesn't Microsoft and other vendors make it possible to digitally
sign images created using their tools just like it's possible to sign a .NET
assembly?

Or is this already available? I don't know since I'm just a developer. I use
images created by Web designers.

JJ
 
C

CanSpam

Signing assumes trust to certificates.
Trust assumes "you are not to be trusted if you say you are who you are", e.g. someone else (with Reputation) has to sign on it. And those companies don't do it for free since they are required to check you (Verisign, Thawte, etc... just look into your Trusted Root CA). And they put their reputation in their assertion that you and the name in your certificate really match.
Signing would mean a split fee for a signed image (in the form of a yearly subscription to a service of a Certificate Authority), paid by author.
So we (in fact, Microsoft) are better off eliminating exploits in DLLs.
Do I make myself clear?

"JJ" <JJ@discussions.microsoft.com> wrote in message news:AE1840FA-07BA-4858-B5CD-AD798E97CC3A@microsoft.com...
> Everyone know that images embedded in Web pages can contain exploits of all
> kinds. Why doesn't Microsoft and other vendors make it possible to digitally
> sign images created using their tools just like it's possible to sign a .NET
> assembly?
>
> Or is this already available? I don't know since I'm just a developer. I use
> images created by Web designers.
>
> JJ
 
J

JJ

Yep. The author has to pay for it. What's the problem with that? How come
you, Microsoft, as you've made clear, is protecting the interest of those who
author all of a sudden?

You just don't want to introduce technologies that would really make a
difference in security. Your products are reactive to what the media and
other true security researchers discover as vulnerabilities. You don't have a
proactive strategy for security in your products.

Do I make myself clear?


"CanSpam" wrote:

> Signing assumes trust to certificates.
> Trust assumes "you are not to be trusted if you say you are who you are", e.g. someone else (with Reputation) has to sign on it. And those companies don't do it for free since they are required to check you (Verisign, Thawte, etc... just look into your Trusted Root CA). And they put their reputation in their assertion that you and the name in your certificate really match.
> Signing would mean a split fee for a signed image (in the form of a yearly subscription to a service of a Certificate Authority), paid by author.
> So we (in fact, Microsoft) are better off eliminating exploits in DLLs.
> Do I make myself clear?
>
> "JJ" <JJ@discussions.microsoft.com> wrote in message news:AE1840FA-07BA-4858-B5CD-AD798E97CC3A@microsoft.com...
> > Everyone know that images embedded in Web pages can contain exploits of all
> > kinds. Why doesn't Microsoft and other vendors make it possible to digitally
> > sign images created using their tools just like it's possible to sign a .NET
> > assembly?
> >
> > Or is this already available? I don't know since I'm just a developer. I use
> > images created by Web designers.
> >
> > JJ
>
 
J

JJ

What kind of theory says "you are not to be trusted if you say you are who
you are" ?
Haven't you heard of biometric authentication? Biometric authentication,
done right, would determine that you are who you say you are.

JJ

"CanSpam" wrote:

> Signing assumes trust to certificates.
> Trust assumes "you are not to be trusted if you say you are who you are", e.g. someone else (with Reputation) has to sign on it. And those companies don't do it for free since they are required to check you (Verisign, Thawte, etc... just look into your Trusted Root CA). And they put their reputation in their assertion that you and the name in your certificate really match.
> Signing would mean a split fee for a signed image (in the form of a yearly subscription to a service of a Certificate Authority), paid by author.
> So we (in fact, Microsoft) are better off eliminating exploits in DLLs.
> Do I make myself clear?
>
> "JJ" <JJ@discussions.microsoft.com> wrote in message news:AE1840FA-07BA-4858-B5CD-AD798E97CC3A@microsoft.com...
> > Everyone know that images embedded in Web pages can contain exploits of all
> > kinds. Why doesn't Microsoft and other vendors make it possible to digitally
> > sign images created using their tools just like it's possible to sign a .NET
> > assembly?
> >
> > Or is this already available? I don't know since I'm just a developer. I use
> > images created by Web designers.
> >
> > JJ
>
 
You must log in or register to reply here.

Similar threads

N
  • Article
How to unlock new experiences on your Copilot+ PC
Replies
0
Views
45
Nicci Trovinger
N
P
  • Article
Unlock a new era of innovation with Windows Copilot Runtime and Copilot+ PCs
Replies
0
Views
63
Pavan Davuluri
P
Y
  • Article
Create images with your words – Bing Image Creator comes to the new Bing
Replies
0
Views
202
Yusuf Mehdi, Corporate Vice President & Consumer
Y
M
  • Article
Microsoft Edge: Your AI-powered browser, innovating for businesses and developers
Replies
0
Views
158
Microsoft Edge Team
M
D
  • Article
Microsoft’s commitment to accessibility: Creating products and services for people with disabilities
Replies
0
Views
99
Dave Dame, Senior Director of Product
D
Back
Top Bottom