We are all familiar with the message-box “Always trust s/w from NVIDIA/Microsoft/Big Name.” We click on these with confidence, because DNSsec (officially required since June 2010,) is remarkably secure in employing RSA certificates in ways that are difficult to counterfeit.
However, large corporations are not the only entities empowered to install “trusted” code. In fact browsers, such as Firefox, Chrome, and Internet Explorer, maintain a list of trusted certificates, any one of which will suffice to install certified code on any windows PC, unattended. The pop-up box is obligatory, not intrinsically required.
Conscientious programmers have noted that whenever a browser is updated, manually entered exclusions, (such as “No Malaysian RSA authorized software at all,”) are clobbered, or over-written.
One solution to this, for security obligated employers, is to employ Open Source’s freedom to modify, to insert a pop-up alert, or “nag,” EVERY time any RSA cert is invoked.
The purpose of such an alert, would be to denote that ANY software was installing unattended. Every virus writer drools over the idea, and nation-states that promote A.P.T.’s or turn a blind eye to abuse, are very capable of compromising their own RSA certificate(s,) for nefarious purposes. As with Hitchcock’s classic “Strangers on a Train,” the bad actors need not incriminate themselves, if they are appropriately sophisticated.
Despite the allure of this solution, it requires some understanding of Certificates, on the part of the end user. It used to be commonplace, for a legitimate Certificate to be flagged for error, due to date/time stamp inaccuracies in the BIOS of the end user’s machine.