I completely respect what you are saying, and in the beginning that was basically my position -- that these antivirus companies are only hurting themselves with these bullshit lazy false positives.

-mouser (March 22, 2010, 10:43 AM)

Are you sure that they're hurting themselves?
I'm not sure there's more people did not buy antivirus because they heard of false positives on UPX than people whom bought the antivirus software *because* of false positive (see "buy full version to fix the file"). What's about all the people whom do have common sense and don't run viruses, whom would quit paying for antivirus if it never finds anything? Think of all the regular people, friends and family, whom you helped set up their PC, are you so sure that they wouldn't choose one of the antiviruses that 'detects the virus' over those which 'fail to detect the virus'? That they would and could tell apart situation when antivirus A has false positive from situation when antivirus B has false negative? Surely, everyone understands that antivirus can fail to detect a virus - but are you sure everyone understand that antivirus can lie that it detected a virus? What's about enormous commercial success of fake/fraudulent antivirus software?

All in all, i'm not convinced that antivirus companies are hurting themselves with their false positives. Hurting others, sure, but themselves, i'd assume they would work to determine optimal false positive rate, for the best balance between negative publicity and the extra sales to scared people, and would stay close to this optimal false positive rate.

I'm not proposing to "secure things with CA" - but SSL certs (and code signing certs) need the CA system unless you want to rely on self-signed certs (and how do you verify the validity of those, then?).

-f0dder (March 04, 2010, 06:07 PM)

Ok, let me rephrase that. You're implicitly assuming that CAs provide authentication. <a href="http://www.schneier.com/blog/archives/2006/02/impressive_phis.html">They don't</a>. If you ever read legal disclaimers made by CAs, you may notice that they are not claiming to provide authentication, but rather disclaiming this.
The whole situation is extremely ridiculous. The only real difference between CA-signed and self-signed certificate is that CA-signed certificate leaves you a few bucks poorer.
A bank could issue me with instructions for checking certificate signature. In person. (The bank, in fact, already gives me password generator device. What bank actually needs is good old simple shared secret cryptosystem - using this generator's code as shared secret. SSL doesn't support anything of that sort, and using SSL in this context is like hammering in screws because all we got is a hammer and a screw looks similar enough to a nail)

In case of SSL certificates, you know, there's no bigass warning for real spoof site. The only warning you have for real spoof is lack of tiny yellow lock icon.

-Dmytry (March 04, 2010, 05:53 AM)

Which is enough for power users (the ones that be keeping their software up todate, unlike regular users).

Don't you see what's ridiculous here? The only warning for real phishing victims is absence of yellow lock icon. Yet the browser displays extreme warnings for self signed certificates.

Authentication isn't the only thing SSL does, though, confidentality and tamper-resistance are just as important.

Indeed. What we have in practice is that a lot of sites which need confidentiality and tamper-resistance but not so much authentication are not using SSL at all because a browser displays scary warnings for self signed or expired certificate but no warnings what so ever for unsecured site.

The bigass warning is mostly shown to customers of legitimate businesses whom forgot to pay racket money (forgot to renew certificate).

-Dmytry (March 04, 2010, 05:53 AM)

And I do believe this is a problem. SSL certs and code signing certs are a bit on the expensive side. Code signing certs are slightly difficult to obtain, but that's mostly a positive thing, though.

There's been no known case of use of expired certificate by malicious party. Yearly expiration is only good for CA revenues, as means of protection it is laughable. On average, there will be 6 months from leak of current certificate to it's expiration; surely, the certificate should be revoked much sooner.

edit: to make it clearer.
Browser behaviour for increasing security level:
0: No SSL: absence of tiny yellow padlock icon [that's all the warning most phishing victims get].
1.0: SSL with no 'authentication' or expired certificate: extremely scary warnings [which no phishing victims ever see].
1.1: SSL, CA-issued certificate (very insecure authentication by CA): no warnings.[some phishers obtain CA-issued certificate]
End result: level 1, which most often is good enough against plausible attacks (sniffing) is unusable; a lot of sites which should use level 1 use level 0; a few use level 1.1, providing immense revenues for CAs.

Also as for whitelisting only known software - again, that's extortion. Norton's upcoming rating based whitelisting scheme in particular. If your software is not rated up, it's not whitelisted, and will not be rated up. How will you get it whitelisted, well, some paid certifications or other crap.

Ditto by the way for digital certificates and 'certificate authorities'. Extortion scheme, pure and simple, not very effective for protection because it is possible to steal certificate, but extremely effective for having various people make billions by doing very little. Everyone who doesn't pay up is subject to plain libel delivered when user tries to run the application* The libel also devalues genuinely useful warnings.
[edit: *or enter ssl site with self-signed certificate. Notably, there's no warning for non-SSL site at all. A somewhat more secure site generates scary warnings which less secure site doesn't! To make warnings go away you must regularly pay hefty sum of money to the big name racketeers to keep your cert up to date - else you lose certain small but substantial percentage of users. Paying money to racketeers is immoral; the money get used for harm. The only thing that certificate certifies is fact that you bulged in to the racket and you're paying ~$100 to racketeers each year; it does not verify that you're well intentioned, that your site was not hacked, and so on, it does not even verify that you are who you say you are].