Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Tuesday, June 05, 2012

Software Code Signing Certificates. Do you care?

I always considered it important to have our program clearly defined as an authentic application. There is a value in proving a file you’re about to install on your computer comes from a reputable company like BillP Studios.  This is currently accomplished through the use of a code signing certificate created specifically for BillP Studios and used during the creation of WinPatrol.  Before the release of any new version I run a code signing program from Microsoft that uses two encrypted files with uniquely assigned keys to validate and identify our WinPatrol files.

The use of code signing certificate provides anyone who downloads our program proof that their download comes from BillP Studios and isn’t malware created to fool people into thinking they’re downloading WinPatrol. It also prevents any changes to our files.

verifieduacWhen someone installs WinPatrol they currently may see this dialog providing proof that the file has been “signed” using a certificate created for BillP Studios.  To obtain a code signing certificate BillP Studios must prove it’s a legitimate company. Our name, address, phone, bank account and other assets are validated by a company that is authorized to assign certificates. In our case, the “certificate authority” is VeriSign which is owned by Symantec. For a one year certificate we also have to pay a fee of $499 USD for the validation process. Since our information has remained the same over the years we’re pretty easy.

BillPCertIf you click on the details arrow located on the dialog above you can learn more about who created the file and read information included in their certificate.

As you can see, this particular certificate expires on June 9th, 2012. I only have a few days to decide if I will continue relying on the code certificate technology to valid WinPatrol and other programs I create

 


Most people don’t really pay attention to the information provided in the first dialog and in the older dialogs below most people really didn’t notice much difference.  It has been a common practice to download programs which weren’t signed. 

Last weekend the value of a signed file was even more diminished. It was publicly exposed how certificates could be faked and the virus known as “Flame” was shown to be using a certificate that appeared to come from Microsoft. This forced Microsoft to release a dangerous emergency update this weekend to revoke some security certificates.

So, the question facing me this week is, should I pay $500 to Symantec so I could continue to have WinPatrol an officially signed and certified application?

On older versions of Windows and IE the difference in a signed application and one not signed wasn’t significant. Both dialogs don’t give you confidence about downloading from the internet.

signedold
This is what users would see if they downloaded the setup program for WinPatrol. How dare they suggest my file could harm someone’s computer?

notsignedold
If I didn’t sign our setup program the text here is actually more precise in its explanation. Most people knew what they were getting and I don’t think anyone would have been deterred by this message.

Now however, Microsoft Windows has increased their warning and made it harder to install unsigned programs.

iesigned
A signed application downloaded by Internet Explorer 9 will still include a yellow warning but it’s nothing compared to the red warning that shows up if the download is not signed. 
iewarning1
There is no option to Run a non-signed program.  To continue you must click on Actions which generates more fear from IE’s SmartScreen dialog. Instead of code signing Internet Explorer can also base its advice on a known “Reputation”. I’m told as a small developer the best way to maintain a good reputation is to sign your code.

iewarning2
The SmartScreen filter doesn’t give you any option to continue running a non-signed program unless you click on “More Options”.

Luckily, other browsers don’t scare users as much and your warning will come from the Windows User Account Control dialog.
chromeunsigned 
Shown above is when the WinPatrol setup is un-signed.

verifieduac 
Here’s the friendly dialog you’ll see if a WinPatrol has been signed. I doubt many users actually click on Show Details to find out more about the Verified publisher. It might be useful if a program appears out of nowhere but since most users make a choice to download WinPatrol having it signed doesn’t really seem to be necessary. Would you see the difference and cancel a setup based on the difference in these two dialogs?

Again, I’m faced with the question of paying $500 to Symantec so I can distribute WinPatrol as a program signed using a valid certificate. Is $500 worth it for those of you who understand digital code signing? I don’t believe the concept of code signing is something users know about or understand.

As someone with an interest in cyber security my first response is to applaud Microsoft for forcing more developers to sign their code.  As a developer I’m hesitant to trust code signing.  I’d really rather use the $500 fee towards a new copy of Adobe Photoshop than a security certificate nobody will pay attention to.

I’ll make a decision within a couple days so I welcome your feedback. Leave your comments here or on Twitter to @BillP


Update June 8, 2012: Thank you all for providing great feedback. Comments were even more detailed than I expected. Based on well thought out advice I will continue to sign WinPatrol, its components and setup program. Most folks say they ignore code signing information but they also agree it’s respectful to WinPatrol users for BillP Studios to provide a validated WinPatrol file before they download it. 

It was actually a friend working for Microsoft who pointed me to a “certificate authority” that provided a code signing certificate for $95 USD instead of the $500 I’ve been paying every year.  It’s always good to shop around but in this case the difference in price for virtually the same product is amazing.

 

Resources:
PC Magazine: Microsoft revokes Certificates Used by Flame Malware
June 4th, 2012

arstechnica: Flame malware hijacks Windows Update to spread from PC to PC  June 4th, 2012

arstechnica: “Flame” malware was signed by rogue Microsoft certificate
June 4th, 2012

Wikipedia: Code Signing

Symantec: VeriSign Code Signing Certificates

MSDN Blogs: Everything you need to know about Authenticode Code Signing  March 22, 2011   EricLaw’s IE Internals

Microsoft Security Response Center: Security Advisory 2718704: Update to Phased Mitigation Strategy June 4, 2012

Share on Facebook


20 Comments:

Anonymous Anonymous said...

I consider myself a fairly careful downloader/installer, and while I do like to see a signed certificate, I often install a program without a certificate. But I make sure I know where the program came from.
So if you decide to drop the certificate it wouldn't concern me.

1:12 AM  
Anonymous Anonymous said...

Verisign is about the most expensive way to sign your code. Digicert is half the price, and less for a multi-year certificate. There are others.

1:48 AM  
Anonymous Joe Connell said...

Tough question. If it was not possible to fake a license then certainly the $500 is worth it - but, well ....

2:56 AM  
Anonymous Anonymous said...

Bill I'm surprised that it costs $500 for one year in order to be "verified". I use Firefox instead of IE, so can (and do) install "unknown" programs without too much trouble, though of course if there's doubt about where the executable came from, I use Comodo Internet Security to scan the file first. Anyway I vote NO for spending all that money.

7:33 AM  
Blogger writeman47 said...

I'm basically an experienced user without a "geek" background. Having used your products for years, I trust you, and will continue to do so whether you sign or not. But here's my thought for what it's worth: I like the fact that you DO sign your codes. It makes me trust you even more. I'd gladly pay a little more for your products to help raise the $500 so you can keep on signing.

Gary
Stockbridge, GA

9:00 AM  
Blogger Unknown said...

Your notes about code signing made me immediately wonder: I'm using Symantec's Norton Internet Security. Why should BOTH of us pay them for protection???

Sandy Brown

2:47 PM  
Anonymous Frank T said...

Save your money Bill, ditch the verisign.

3:14 PM  
Anonymous Anonymous said...

It's true many of us long-time users have confidence in your product and may have installed the newer releases without verifying whether it was signed or not.
As for the new users, just about anything can be Googled and it would not take long for them to see the positive track record your product provides. The reviews at CNET, MajorGeeks, etc speak for themselves.
Bottom line, I think it is an unneeded expense.
... Duke

7:36 PM  
Blogger Eike Heinze said...

Bill, ditch VeriSign and their rip-off pricing.
You may want to think about establishing some check sum system so we can verify the correctnes of what we have downloaded.
Having said that I admit that I hardly ever have tested check sums if they were offered.
I rather download only from "trusted" sources. I am using Windows since it's very inception and so far have done well this way.

10:16 PM  
Anonymous Anonymous said...

It seems to me that it is revenue dependent. Is this only a small dent in revenue or a large amount. If it's a large amount the either ditch the verification or go with a cheaper provider.

2:37 PM  
Anonymous Anonymous said...

I'm always careful downloading, and do only from trusted sites. So, I usually don't check any details or options.

6:27 PM  
Blogger Pete said...

Appreciate Code Signing Certificates especially when used by companies that are in the Software Security business.

The Certificate Authority you have used, however, seems (too) expensive. Please consider using another CA.

Some of the SW Vendors I value highly due to their awesome freeware products, use, e.g. COMODO Code Signing Certificates. The price of them would seem to be only a fraction of the cost you mention in your blog.

4:39 PM  
Blogger Jeannieland said...

The only issue with Comodo and some other SSL certificates can be versioning and support. A lot of folks aren't running the latest and greatest browsers and O/Ses.

Just a heads up that there can be compatibility issues with some CAs. UPS discovered this last year, apparently. Sometimes bigger IS better.

OTOH, if the only people you do business with are technophiles you might have no problems.

4:07 PM  
Blogger Jeannieland said...

This comment has been removed by the author.

4:09 PM  
Blogger Unknown said...

Jeannieland,

While I would be very pleased to have you comment and back up your statements you'd be welcome to identify yourself as a Symantec employee. I have no problems with VeriSign and I've met some bright people from Symantec.

By posting this information without acknowledging the source is an insult to my readers and makes your company seem a bit pitiful.

I know how to read access logs and it's not like I get that many comments. The kind of company that has to troll blogs posting anonymously isn't the image I had for Symantec.

Next time, please acknowledge you're a company rep. Your post will come across a lot more credible.

Bill

10:42 PM  
Blogger Unknown said...

This comment has been removed by the author.

10:43 PM  
Anonymous Brian Watkins said...

Hi, I’m the Global Social Media Strategist for Symantec and I wanted to clarify that the comment referenced in the blog post was not part of any official or sanctioned outreach from Symantec’s marketing efforts.

Symantec fully supports the principle of transparency, and the company’s social media policy requires that employees identify themselves as employees when posting on topics related to Symantec or Symantec’s products and services. We take this very seriously.

Many thanks to you for bringing this issue to our attention and promoting transparency in the online space.

Brian Watkins
Global Social Media Strategist
Symantec Corporation

1:26 PM  
Blogger Unknown said...

Brian,

Thanks for clearing that up. As I said, I'm pleased to have worked with some very bright people at Symantec so this surprised me.

Enjoy,
Bill

1:48 PM  
Anonymous Leo said...

Bill,

Thanks for the detailed report!

I'm a Mac developer and now I need to buy a certificate to participate in a non-Apple project.

Just FYI: Apple charges $99/yr for their developer program which, among other things, includes their code signing certificate. No extra charges.

Now I look at those 'certificate authorities' and honestly I believe they just blatantly extort money from hard working developers without providing any real services.

For example, my Internet hosting provider charges $12/month for a business package. But I know what I'm paying for and that they do work hard to provide the services I need.

The cheapest 'authority' wants to charge me $11/month - for life - for what? What is that they're doing to justify this price? In my view, exactly NOTHING.

I believe that a one-time $30 charge would be more than enough for their 'services'.

(And yes, I also found that K Software resellers - I still believe it's expensive but better than others).

I wonder what's your opinion on that?

Thanks,

Leo Revzin
--
Zevrix Solutions
Solutions for Graphics, Print & File Delivery
www.zevrix.com

8:06 PM  
Anonymous Thawte Code Signing said...

Its all in clarification of Code Signing Certificate security and its technical specification. I got my all issues answers in order to compose an tutorial article for code signing certificate. We really appreciate your efforts.

5:24 AM  

Post a Comment

<< Home