Of Ads and Signatures

Both advertisements and signatures have been with us in the analogue realm for ages, the society has learned about their usefulness and limits. We have learned that it’s (usually) hard to judge the impact of a single ad, and that the process of actually validating a contested signature is not trivial. There is a good reason why the law requires more than a single signature to authorize the transfer of real estate.

Both concepts have been translated to the digital, online world.

And in both cases, there were promises that the new, digital and online versions of ads/signatures can deliver features that their old, analogue counterparts could not do.

For ads, it was the promise of real-time tracking of their effectiveness. You could do “clickthrough rates” measuring how often the ad was clicked by a viewer. The holy grail of ad effectivity tracking is the fabled “conversion rate”: you can measure how many people actually bought your product after clicking an ad.

For signatures, it was the promise of automated validation. If you get a digitally signed document, you should be able to actually verify (and can have 100% trust in the result) whether it was really signed by the signatory. Remember: in the analogue world, almost nobody actually does this. The lay person can detect crude forgeries, but even that only if the recipient has access to samples of authentic signatures. In reality, a closer inspection of handwritten signatures is only done for important transactions, or in the case of a dispute.

So how did things work out after a few years of experience with digital ads and signatures?

Digital ads are in a midlife crisis. We’re in a death spiral of low clickthrough rates, more obnoxious formats, ad-blockers and ad-blocker-blockers. Just look at the emergence of Taboola and similar click-bait.
Digital signatures are at a cross-road as well: The take-up rates of solutions based on smart-card readers have been underwhelming so far. This applies to the German ePerso as well as to the Austrian citizen card. The usability just isn’t there. So there has been a push to increase the take-up rate by introducing alternatives to smart-card technology. That won’t make it more secure. Not at all.

So what’s the common lesson? In theory, both digital ads and signatures can offer features that their old, analogue counterparts just cannot deliver. In practice, they are killing themselves by over-promising. As long as click-through rates are the prime measurement of online ads, their death spiral will continue. And as long as digital signatures continue to promise instant, high-confidence validation, they will not achieve the take-up rates needed for broad acceptance.

Continuing the current trajectory will lead to a hard crash for both technologies. On one side it’s the ad-blocker, on the other side it’s malware.

The level of spam in the email ecosystem meant that no mail-service can exist in the market without a built-in spam-filtering solution. And given the early ad-excesses every browser includes a pop-up blocker these days. If the advertisers continue on their path of getting attention at all costs, ad-blocking will become a must-have feature in all browsers, and not just an optional ad-on (as right now).

Any digital security solution that protects actual money has been under vigorous attack. The cat and mouse game between online-banking defenders and attackers is a good lesson. The same will happen if digital signature solutions start to be actually relevant. And good luck if your “let’s make digital signatures more user-friendly” approach is actually less secure than what online-banking is using these days.

So what’s the solution?

In my opinion the right way to approach both topics is to reduce the promise. Make digital ads static images. No animation. No dynamic loading of js-code (which is its own security nightmare). Don’t overtax the visitor’s resources (bandwidth, browser-performance). No tracking. Tone it down. Don’t expect instant effects. Don’t promise clicktrough rate.

For digital signatures: Mass deployment is only possible for “non-qualified signatures”. Don’t promise “you can fully and solely rely on our solution”. Just sell “this is a good indication”, or “use this as one factor in your security design”. Prepare for it to be attacked and broken. Only use it when you have a pre-planned way to recover from such a breach. The real word is full of applications where signatures are used in a very low-security / low-impact settings. The state-sponsored digital identity solutions needs to think of those, too. For the high-impact, high-confidence settings I always have to think about the mantra we use at work: “You can’t mandate trust.”

The Edge browser

Wasn’t one of the main goals of junking the Internet Explorer codebase and building a brand new browser “Edge” the hope that there won’t be the monthly batch of patches for remote code execution vulnerabilities?

I haven’t tabulated the advisories but somehow I don’t have the feeling that things have gotten substantially better.


It looks to me like we still aren’t using the right programming environments for such complex pieces of software. There is still way too much basic security tooling the programmers have to do by themselves. Just like you shouldn’t do string operations in pure ANSI C, we need to rise the level of abstractions that all these browser bugs (that lead to RCE) just are not possible any more.

Adobe Flash Updates

Today we’ve seen yet another Adobe Flash Player update due to serious problems. So be it.

One thing always sets my teeth on edge when doing/verifying it: The number of clicks it takes me to check the version of the currently running Flash plugin. It would be far too simple if the download page (which is prominently linked everywhere) would just tell me if I need to upgrade. No, I have to click on “Learn more about Flash Player”, then “Product Page”, then “FAQ”, then scroll down to “How can I tell if I have the latest version of Flash Player installed and whether it is working correctly?”, click to reveal the answer, then click “Testing page”.

And then I have to manually compare the version shown above with the latest version listed by operating system and browser beneath.

What the fscking hell is Adobe thinking? They’ve been a top reason for PC infections for the last years (Flash + Acrobat) and still they don’t tell their web-visitors as quickly and efficiently whether they need to update.

Can someone please administer the necessary clues with a suitable LART?

The Evolution of Conference Wireless

  • 2003: RIPE offers to rent out PCMCIA wifi cards to attendees of the RIPE conference.
  • 2007: Every attendee has a laptop with built-in wifi.
  • 2012: Every attendant brings a Laptop and at least one smartphone, some bring tablets as well.

We have ~500 attendees at #FIRSTCON this week; I wonder how many distinct clients the wifi net has seen.

DNSSEC Troubles

I’ve given my share of DNSSEC talks over the last three years. I usually explain what exactly DNSSEC provides and what it does not. One of the downsides I tell ISPs about is that other people’s DNSSEC errors will hit your call-center if you’re doing DNSSEC-validation.

This just happened to Comcast.

I really recommend that anyone enabling DNSSEC validation on their resolvers should be prepared for this case. The report from Comcast is instructive, especially the media fallout they had to cope with.

#DigiNotar and paying for an audit

The question Mozilla, Microsoft and Apple should be asking themselves now is:

Which other CA do they trust based on an audit by PwC? Their green light on DigiNotar was so flawed that I have serious doubts about anyone else they certified as a trustworthy CA.

This is a bit like the financial rating agencies at the height of the 2008 banking crisis: why the hell should I trust the audit/rating of someone who is paid by the people they are auditing/rating and who need an “all fine”/AAA result?

Adobe Madness

I finally bit he bullet and upgraded to Reader 10.x to get the security benefits of the sandbox.


  • Why this f*cking bloatware of the Download Manager as a Firefox plugin. WTF?
  • And why do these bastards try to sneak in McAfee software? I did not see the checkbox.

See also this thread in the Adobe forums.

Way to go, Adobe. Do you really think pissing of customers, especially security professionals is good company policy?

Attacking PalPay, Visa, and Mastercard

The story so far: WikiLeaks posted some secrets, the US governments throws a hissy fit and some spineless companies see it as their “patriotic duty” to withheld service from WikiLeaks. This doesn’t especially endear them to the 4chan/Anonymous crowd which then starts to DDoS the pushovers.

So how is a Civil Libertarian and Network Security guy supposed to react to that?

Two bads don’t make a right. There are better ways to show disgust of and punish those electronic money movers. Attacking their operation cannot be the right answer.

But: I’ve been arguing for years now that one of the few ways to actually shut down some of the real menaces (not the imagined ones like WikiLeadks) of the Internet like Spammers, Fake AV Software scams, Viagra/… sellers, and other frauds would be to deny them the credit card payment option.

Thus, MasterCard and Visa: If you are so eager to distance yourself from WikiLeaks, when nobody can even tell you what actual laws they are supposed to have violated, why are you not able to deny service to the frauds when it is absolutely clear that they violate laws and cost the worldwide economy huge sums of money to clean up their crap?

Memo to Security Conference Organizers

First of all, there are more security conferences in September and October in Europe than any sensible organization will ever want to send people to. Sorry.

Aggressive hard-sell phone calls will not help. Quite to the contrary.

And if you send email invitations, remember that you’re sending mail to security professionals. Including tracking images in the HTML version and linking to a tracked version of your conference website is considered rude in these circles.

Cut it out.