Software Code Signing Certificates. Do you care?
I always considered it important to have our program clearly defined as an authentic application. There is a value in proving a file you’re about to install on your computer comes from a reputable company like BillP Studios. This is currently accomplished through the use of a code signing certificate created specifically for BillP Studios and used during the creation of WinPatrol. Before the release of any new version I run a code signing program from Microsoft that uses two encrypted files with uniquely assigned keys to validate and identify our WinPatrol files.
The use of code signing certificate provides anyone who downloads our program proof that their download comes from BillP Studios and isn’t malware created to fool people into thinking they’re downloading WinPatrol. It also prevents any changes to our files.
When someone installs WinPatrol they currently may see this dialog providing proof that the file has been “signed” using a certificate created for BillP Studios. To obtain a code signing certificate BillP Studios must prove it’s a legitimate company. Our name, address, phone, bank account and other assets are validated by a company that is authorized to assign certificates. In our case, the “certificate authority” is VeriSign which is owned by Symantec. For a one year certificate we also have to pay a fee of $499 USD for the validation process. Since our information has remained the same over the years we’re pretty easy.
If you click on the details arrow located on the dialog above you can learn more about who created the file and read information included in their certificate.
As you can see, this particular certificate expires on June 9th, 2012. I only have a few days to decide if I will continue relying on the code certificate technology to valid WinPatrol and other programs I create
Most people don’t really pay attention to the information provided in the first dialog and in the older dialogs below most people really didn’t notice much difference. It has been a common practice to download programs which weren’t signed.
Last weekend the value of a signed file was even more diminished. It was publicly exposed how certificates could be faked and the virus known as “Flame” was shown to be using a certificate that appeared to come from Microsoft. This forced Microsoft to release a dangerous emergency update this weekend to revoke some security certificates.
So, the question facing me this week is, should I pay $500 to Symantec so I could continue to have WinPatrol an officially signed and certified application?
On older versions of Windows and IE the difference in a signed application and one not signed wasn’t significant. Both dialogs don’t give you confidence about downloading from the internet.
This is what users would see if they downloaded the setup program for WinPatrol. How dare they suggest my file could harm someone’s computer?
If I didn’t sign our setup program the text here is actually more precise in its explanation. Most people knew what they were getting and I don’t think anyone would have been deterred by this message.
Now however, Microsoft Windows has increased their warning and made it harder to install unsigned programs.
A signed application downloaded by Internet Explorer 9 will still include a yellow warning but it’s nothing compared to the red warning that shows up if the download is not signed.
There is no option to Run a non-signed program. To continue you must click on Actions which generates more fear from IE’s SmartScreen dialog. Instead of code signing Internet Explorer can also base its advice on a known “Reputation”. I’m told as a small developer the best way to maintain a good reputation is to sign your code.
The SmartScreen filter doesn’t give you any option to continue running a non-signed program unless you click on “More Options”.
Luckily, other browsers don’t scare users as much and your warning will come from the Windows User Account Control dialog.
Shown above is when the WinPatrol setup is un-signed.
Here’s the friendly dialog you’ll see if a WinPatrol has been signed. I doubt many users actually click on Show Details to find out more about the Verified publisher. It might be useful if a program appears out of nowhere but since most users make a choice to download WinPatrol having it signed doesn’t really seem to be necessary. Would you see the difference and cancel a setup based on the difference in these two dialogs?
Again, I’m faced with the question of paying $500 to Symantec so I can distribute WinPatrol as a program signed using a valid certificate. Is $500 worth it for those of you who understand digital code signing? I don’t believe the concept of code signing is something users know about or understand.
As someone with an interest in cyber security my first response is to applaud Microsoft for forcing more developers to sign their code. As a developer I’m hesitant to trust code signing. I’d really rather use the $500 fee towards a new copy of Adobe Photoshop than a security certificate nobody will pay attention to.
I’ll make a decision within a couple days so I welcome your feedback. Leave your comments here or on Twitter to @BillP
Update June 8, 2012: Thank you all for providing great feedback. Comments were even more detailed than I expected. Based on well thought out advice I will continue to sign WinPatrol, its components and setup program. Most folks say they ignore code signing information but they also agree it’s respectful to WinPatrol users for BillP Studios to provide a validated WinPatrol file before they download it.
It was actually a friend working for Microsoft who pointed me to a “certificate authority” that provided a code signing certificate for $95 USD instead of the $500 I’ve been paying every year. It’s always good to shop around but in this case the difference in price for virtually the same product is amazing.
Resources:
PC Magazine: Microsoft revokes Certificates Used by Flame Malware
June 4th, 2012
arstechnica: Flame malware hijacks Windows Update to spread from PC to PC June 4th, 2012
arstechnica: “Flame” malware was signed by rogue Microsoft certificate
June 4th, 2012
Wikipedia: Code Signing
Symantec: VeriSign Code Signing Certificates
MSDN Blogs: Everything you need to know about Authenticode Code Signing March 22, 2011 EricLaw’s IE Internals
Microsoft Security Response Center: Security Advisory 2718704: Update to Phased Mitigation Strategy June 4, 2012