Italian Digital Signature Software Exposed to Man-in-the-middle Attack?

An independent researcher compiled a list of known Apple OSX-related vulnerabilities, including one that affects the Sparkle Updater Framework.

I’ve just checked my Mac with this command

find /Applications -name Sparkle.framework

and found that DikeX, the old version of the digital-signature tool released by Infocert S.p.a., uses Sparkle. I don’t know if the software is plagued by the bug, but this is exactly the point: nobody from Infocert just warned users with a single word about.

Does SHA-7 belong to the US NSA?

As everybody knows, the SHA-n is a series of cryptographic algorithm developed by the NSA and published by the US NIST. The current SHA-n lineup includes SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512.

On the contrary, SHA-7 (see this link – italian only, sorry), a “proprietary, patented encryption algorythm” developed by an Italian company doesn’t belong to the original “family”. And doesn’t have any endorsement by the scientific community.

I wonder why SHA-7 designers have choses this confusing name for their code.



Infocert, electronic signature and technology discrimination

Here we are again. Infocert – one of the biggest electronic signature provider in Italy – confirmed its technology lock-in attitude, by pushing users toward Microsoft Windows.

Infocert released  its USB based all-in-one solution named Businesskey and advertises its dongle as an “hassle-free” tool, with no installation required. This is not entirely true, because the system only works under Microsoft Windows: no Linux or Mac OSX support.  Admittedly, Infocert did release a Linux and MacOSX desktop-based version of Dike (the software client needed to handle the electronic signature), but didn’t do the same as “portable app”.

Consequences are clear and don’t need further explanation. What is astonishing is the silence of both Government and Authorities, that are allowing private entities to force citizens to pay non irrelevant monies to get public services.

Digital Signature. A chance for change?

After ten years Italy might let digital signature legal framework moves toward a coherent system.

Current legislation – Legislative Decree 82/2005 – is still affected by unclear definitions, EU directive translation errors and technical misunderstanding.

If passed in Parliament, draft law AC1441-bis will assign Government the power to amend these mistakes, a non-impossible mission if only the concerned persons will take their time in fully understand the issues debated since 1997 and never fully resolved.

More to come about, as soon as the Parliament will pass the law containing the amendment principles.