A Perfect Use For Digital Signatures

I’m in the middle of doing a vulnerability assessment on a client and in the course of my preparation I got into a discussion with another consultant on the fact that the latest versions of Nessus don’t include the “Enable All But Dangerous Plugins” option.

Well, there is another option within the settings called “safe checks”, and it was my belief that “safe checks” are in fact the same thing as “enable all but dangerous”. The justified confusion comes from the fact that many plugins labeled dangerous are still enabled (they have checkboxes next to them) when the “safe checks” option is enabled — a fact that tends to give one a bad feeling when you’re about to run the tool on a full class B.

So anyway, I naturally Googled for the answer and found the proof I was looking for, and it turns out it was from none other than Renaud Deraison himself (the creator of Nessus). Here’s the quote I found, and it was in response to the question of whether or not users were supposed to manually uncheck all the “dangerous” plugins given the lack of the other button:

No – it was simply redundant with the ‘safe checks’ option. — Renaud

Well, while that was somewhat comforting, I couldn’t help but notice that this would be an excellent place for a digital signature. It’s not that I doubt this was really him saying this, it’s just that when you’re about to do something as serious as scan a class B using all plugins (but with safe checks on), it’d be nice to have a solid web of trust behind you.

Normally, most people (to include important people) are doing little more than expressing opinions that do little damage when spoofed. In these circumstances it’s arguably overkill to bring the strength of a “web of trust” to bear on such comments. But when a lead developer for a product with production implications across the globe says in effect, “don’t worry, this feature means you won’t DoS your clients”, the benefit of digital signatures becomes a whole lot more evident.