There is a secretive battle being waged for control of the software on your desktop, and unless you’re working in software configuration or a Micro ISV, you probably aren’t even aware of it.
The battle is over code signing, and how software developers are held ransom by the code signing certification authorities (one in particular, see if you can figure out which!), to purchase expensive certificates, and in the case of developing a “Certified For Windows” application, with no real technical need at all!
What is Code Signing?
Code signing is a process which allows software publishers to use a certificate in order to “stamp” or sign code (usually program installers). This process imprints the publisher’s details onto the file so that when users use the file they can decide whether to trust the publisher and allow the content to run, or not.
When a publisher signs code, it is like applying a seal to it. It proves that the code hasn’t been tampered with, it shows who the code comes from, and only those with the correct signet ring or stamp can make the stamp.
Why use Code Signing?
The internet has made anyone with the right tools and aptitude into a potential software publisher. This means that a lot more hackers, script kiddies and novices can put their own “free” malware openly on the internet. People can release software, pretending it comes from someone else – or worse still, damage a company’s reputation by releasing fake spoofed software.
Users now have a way to determine if the software they have is trustworthy. The code signing “stamp” on the file is also broken if the file is modified without the publisher’s permission. By using only code signed installers, you know that the file is genuine and from whom it purports to be.
Although the use of certificates in computer security has been around for over a decade, Microsoft has created its own Code Signing technology, dubbed “Authenticode”. In order for a publisher to get on board with “Authenticode” to sign their software, they must purchase an “Authenticode” type certificate from one of Microsoft’s trusted partners.
The way certification authorities work is that Microsoft explicitly trusts a small group of privately-owned companies to only issue certificates to companies which have paid for and passed the security checks (usually checking business address, registration, contact details, etc). In this way, by signing your code with a certificate that has been obtained from one of Microsoft’s trusted group of partner companies – Microsoft Windows will acknowledge your certificate as potentially trusted and ask the user if they always want to install your software, never install, or to ask each time software from this publisher is run. For example:
The user can then click the link of the publisher to view pre-defined information about the publisher from the certificate.
If the unfortunate publisher could not or did not sign their file, you would see messages like the following:
The problem… The Microsoft “Certified For” Testing Racket
Creating your own certificates can be done by anyone – in seconds. Your own certificate containing a public/private key pair can be created by yourself in order to authenticate secure email, or used with PGP (Pretty Good Privacy) for file encryption.
The issue is that your own DIY certificate stamp isn’t sufficient. You need to be checked out first by one of Microsoft’s partners to see if they think you warrant a certificate (of course they will, they want your money after all). The CA’s provide a vetting service, checking the identification documents of whichever organisation wishes to obtain a certificate issued by a Trusted Authority. Microsoft calls these organisations, “Trusted Root Certification Authorities”, meaning that any certificate they issue is trusted (and hence, not hand made by Mr. Hacker).
Certificates can be purchased from any one of the companies on Microsoft’s “Trusted Root Certification Authorities” list:
The trouble is, getting one of these companies to make a certificate for you can be time consuming, and expensive.
My company is a proud Microsoft Partner. But there are things Microsoft do that are simply unethical. For example, preventing the certification of your software unless you hand over a bulk of unnecessary cash to the Verisign corporation. An Authenticode certificate from any of the other providers, (Thawte, Comodo, etc) simply won’t work – it has to be from Verisign. This is for business and not technical reasons. Anti Trust, anyone?
For example – compare the prices of an Authenticode certificate from these two providers:
Verisign: $499 / year (with discounts on multiple years to $431/year for a three year term) – standard code signing certificate
Comodo: $179 / year (with discounts on multi-year purchases).
What’s the difference? None. Except, you won’t be allowed onto the Microsoft “Certified For Windows” testing scheme until you’ve paid for the most expensive certificate. Even if your software doesn’t use it. I know… I’ve had to purchase both. Verisign took 3 weeks to process our certificate, they wanted to check all manner of business utility bills, phone numbers, test our fax machine and email before they would issue a certificate. Comodo issued a certificate immediately without any checks whatsoever. Comodo were also 3 weeks late in sending us our VAT invoice as apparently the support team was in hospital in January (talk about crazy excuses for a 250 person business!). Both vendors take immediate payment, however. Nice to see medium and large sized tech businesses screwing the smaller ones on price & service…
As a proud vendor of quality software, I of course want to put everything we make through the most rigorous testing procedures possible in the industry. Since we develop software for Microsoft Windows and Server platforms, it makes sense that our software is certified for use on the platforms for which it was designed.
In order for any vendor to test their software to Microsoft standards, it must be handed over to a third party testing organisation (e.g. Lionbridge) to be tested. It must also be code signed with a special code signing certificate, that has to be purchased from Verisign. We had been using our own in house code signing certificates up till this point. Needless to say, Verisign is the most expensive code signing provider in the market.
Also, since Microsoft released Windows Vista the fearsome warning messages about unsigned code have become even more prominent. These messages “warn” users about unsigned code. Some platforms may be configured to not allow any untrusted/unsigned code to execute. Any professional software development house will have its own certificate to sign its files or risk dealing with unnecessarily confused users, potential damage to business reputation, and lost downloads & sales.
What about customers?
There are benefits to using signed software. Obviously if Bob from next door wrote some software for you, it’s unlikely to be professionally code signed. However, you can probably trust Bob. If you download and install some software that purports to be from “Microsoft Corporation”, but on clicking the publisher link (see pictures above) you see that the certificate wasn’t issued by a trusted provider (Vista provides suitable red warnings for this), then it is obvious that the certificate is a spoof.
What do I suggest?
If you’re a software developer: Pay Comodo for a code signing certificate, but try to find an affiliate that provides them cheaper than the list price. They are out there – drop me a comment if you want a link to my preferred affiliate’s store. When and if you go for “Certified” testing, contact Microsoft and tell them what you think about having to purchase another certificate from Verisign.
If you’re a consumer/computer user: Because something is signed, does not mean that it is not dangerous. If software is signed, it doesn’t mean that the software is safe, tested, or anything like that. It may not even be a guarantee that the software is from who it says it’s from. Trust no-one, and only obtain your software from legitimate sources (not BitTorrent or P2P filesharing).
What needs to happen?
Either increased competition between the trusted root certification authorities or Microsoft needs to acknowledge that a freely available / cheap trusted code signer be made available for entry level Micro ISV’s. Certainly the security checks offered by the root certification authorities need to be policed. Comodo sent out our certificate moments after purchase, presumably without making any checks. Verisign took three weeks. I am not sure what Verisign were actually doing during this time. Your mileage with certification authorities may vary.
Code Signing isn’t the only segment Microsoft have wrapped up. They’re into SSL, Client Authentication, and Secure Email. You need certificates for all of these – with SSL certificates at around $1,000 per year (from Comodo for multi sub-domains) is it any wonder more and more hosting providers are moving away from Windows to cheaper Linux based hosting solutions and charging more for use of their SSL certificates?
This is not a free market with open competition.
What do you think? Let me know, drop me a comment!