The last couple of weeks I've been looking into code signing and wondering whether I should get a digital certificate for xplorer². In the end I decided not to go through the trouble. This post will explain what this digital certification process is and why it shouldn't matter to either me or you, at least as far as xplorer² is concerned.

What is authenticode?
Simply put it is a mechanism that "guarantees" that the software you have just downloaded comes from a "certified" publisher. No more and no less. And from the scare-quotes I put around "guarantee" and "certify" you can tell that neither is fool-proof or even relevant from the end user's (that is you) perspective.

As a result of the security panic that was microsoft's XP SP2, windows treat all downloads as suspect files. Depending on whether the installer you just downloaded is signed or not you will get a security warning of some sort. Can you tell which is worse? (snapshot) Except for the shield color they look equally unsettling, they even have cancel as the default action, both of them!

So what peace of mind do we get from the registered publisher? If you click on the publisher name on the security warning dialog (Smart Projects in our example) you get to see the certificate details, and here's how it looks like (snapshot). Reassured? Hardly! In the end of the day it is all about the publisher: if you know them and trust them, have no fear, otherwise no amount of certification can save your neck. Btw Smart Projects is a trustworthy publisher, with or without digital signatures.

It is interesting to see how windows know which files to warn you about. How does explorer know that a file comes from the internet and not a CDROM? There is a little trick there based on alternate data streams. If you use xplorer² ADS snooping tools on a file you just downloaded you'll find a stream called Zone.Identifier. Internet explorer is adding this after you download and explorer takes note when launching it. This means that if you download with an alternative browser e.g. Mozilla, or save your file in a disk that doesn't support ADS (e.g. FAT32 partition) you wouldn't be getting this Zone.Identifier stream. I bet microsoft have other heuristics around these problems, e.g. forcing a security warning whenever a file contains "setup" in its name or something.

How does code signing work?
There is a lot of posh arithmetic behind code signing with digital certificates. I don't understand much of it but the idea is simple. It is a cryptographic method based on private/public key signing, just like PGP. Files that I sign with my private key can be read only if you have my public key. You cannot infer my private key from my public key so I can safely distribute the latter without fearing you can break it and begin impersonating me. It's like I distribute my file with a padlock and you can obtain a (public) key for it: if the key opens it then it must be my padlock. The private key (padlock) is "guaranteed" unique and hard to crack by being a very very big prime number.

I keep the private key to myself but how do you get my public key? It isn't convenient to hand it out individually to each user, so windows goes to the certificate issuer to fetch it. There are these certificate authorities (more info below) that both issue digital signature keys to ISVs wishing to sign their code and make all the public keys available for users. And who certifies the certifier? That's right, certificate authorities have to have a digital identity themselves which is double checked at each exchange. The authenticode protocol is used for matching public/private keys on a checksum of the installer.

So it's a chain of trust thing. Microsoft trusts the certificate authority, itself trusting the software vendor/ISV enough to issue a digital certificate, and so by proxy you trust the downloaded file enough to install and run it. But the digital certificate doesn't say anything about the quality of the program, neither does it assure that the file will not be a virus or contain spyware or generic malware. All you know is where the program came from. And that assuming that digital certificates are impossible to forge — which they most certainly are not!.

What price certification?
From all the above you could infer that I consider code signing utterly useless. Actually there is a serious use for it. If some dodgy dealer cum internet hack publishes a modified version of xplorer² that includes spyware or assorted nasties, in an attempt to misuse my personal trustworthiness as a developer and ISV, then you get spyware on your computer and I get a bad name, undeservingly! Had I always signed my installer with my personal digital ID, then you would be alerted when an impostor tried to defraud us both like that. If it doesn't say Zabkat on the box it can't be genuine. Not an enormous advantage but at least code signing isn't a complete write-off, so why don't I subscribe?

Hear me now! The procedure to obtain a digital ID is trivial. You contact a provider (e.g. Comodo, Thawte, GlobalSign, GeoTrust, or if you're really posh VeriSign) who will gladly frisk your $200—$500 annually just to check your name and address. There are more and less stringent identity check procedures (I bet verisign will get my DNA sample to justify their 500 a year charge) but the truth of the matter is that most just get the cash and run, and check next to nothing, especially when you go through various resellers. "Just send us a photocopy of your passport" is the typical "identification" procedure. And the cost? $200 each and every year! For keeping a photocopy of my passport! (I know there are some cheaper alternatives but how much would you trust a $20 certificate?)

I am sorry but this is a protection racket and I have to dismiss it on principle. Trust cannot be bought. You know that xplorer² is honest software because it's been around for ages and you hardly hear anything bad about it. If you only download from my website, the only approved source, you have no risk of tampered installers. Case closed. The same conclusion is reached by most of other ISVs if this report is to be trusted.

In summary: trust noone! If you come across an unknown piece of software or publisher that looks good, check it first. Do a keyword search on google groups to see what people are discussing about the author or the program. If you see loads of complaints, problems and whatnot, steer away. Have you tried it for "xplorer²"? I have no skeletons in my closet, be my guests :)

Post a comment on this topic

Digg this   Add to del.icio.us