The last couple of weeks I've been looking into code signing and wondering whether I should get a digital certificate for xplorer˛. In the end I decided not to go through the trouble. This post will explain what this digital certification process is and why it shouldn't matter to either me or you, at least as far as xplorer˛ is concerned.
What is authenticode?
As a result of the security panic that was microsoft's XP SP2, windows treat all downloads as suspect files. Depending on whether the installer you just downloaded is signed or not you will get a security warning of some sort. Can you tell which is worse? (snapshot) Except for the shield color they look equally unsettling, they even have cancel as the default action, both of them!
So what peace of mind do we get from the registered publisher? If you click on the publisher name on the security warning dialog (Smart Projects in our example) you get to see the certificate details, and here's how it looks like (snapshot). Reassured? Hardly! In the end of the day it is all about the publisher: if you know them and trust them, have no fear, otherwise no amount of certification can save your neck. Btw Smart Projects is a trustworthy publisher, with or without digital signatures.
It is interesting to see how windows know which files to warn you about. How does explorer know that a file comes from the internet and not a CDROM? There is a little trick there based on alternate data streams. If you use xplorer˛ ADS snooping tools on a file you just downloaded you'll find a stream called Zone.Identifier. Internet explorer is adding this after you download and explorer takes note when launching it. This means that if you download with an alternative browser e.g. Mozilla, or save your file in a disk that doesn't support ADS (e.g. FAT32 partition) you wouldn't be getting this Zone.Identifier stream. I bet microsoft have other heuristics around these problems, e.g. forcing a security warning whenever a file contains "setup" in its name or something.
How does code signing work?
I keep the private key to myself but how do you get my public key? It isn't convenient to hand it out individually to each user, so windows goes to the certificate issuer to fetch it. There are these certificate authorities (more info below) that both issue digital signature keys to ISVs wishing to sign their code and make all the public keys available for users. And who certifies the certifier? That's right, certificate authorities have to have a digital identity themselves which is double checked at each exchange. The authenticode protocol is used for matching public/private keys on a checksum of the installer.
So it's a chain of trust thing. Microsoft trusts the certificate authority, itself trusting the software vendor/ISV enough to issue a digital certificate, and so by proxy you trust the downloaded file enough to install and run it. But the digital certificate doesn't say anything about the quality of the program, neither does it assure that the file will not be a virus or contain spyware or generic malware. All you know is where the program came from. And that assuming that digital certificates are impossible to forge — which they most certainly are not!.
What price certification?
Hear me now! The procedure to obtain a digital ID is trivial. You contact a provider (e.g. Comodo, Thawte, GlobalSign, GeoTrust, or if you're really posh VeriSign) who will gladly frisk your $200—$500 annually just to check your name and address. There are more and less stringent identity check procedures (I bet verisign will get my DNA sample to justify their 500 a year charge) but the truth of the matter is that most just get the cash and run, and check next to nothing, especially when you go through various resellers. "Just send us a photocopy of your passport" is the typical "identification" procedure. And the cost? $200 each and every year! For keeping a photocopy of my passport! (I know there are some cheaper alternatives but how much would you trust a $20 certificate?)
I am sorry but this is a protection racket and I have to dismiss it on principle. Trust cannot be bought. You know that xplorer˛ is honest software because it's been around for ages and you hardly hear anything bad about it. If you only download from my website, the only approved source, you have no risk of tampered installers. Case closed. The same conclusion is reached by most of other ISVs if this report is to be trusted.
In summary: trust noone! If you come across an unknown piece of software or publisher that looks good, check it first. Do a keyword search on google groups to see what people are discussing about the author or the program. If you see loads of complaints, problems and whatnot, steer away. Have you tried it for "xplorer˛"? I have no skeletons in my closet, be my guests :)
|© 2002—2007 Nikos Bozinis, all rights reserved|