There is a secretive battle being waged for control of the software on your desktop, and unless you’re working in software configuration or a Micro ISV, you probably aren’t even aware of it.
The battle is over code signing, and how software developers are held ransom by the code signing certification authorities (one in particular, see if you can figure out which!), to purchase expensive certificates, and in the case of developing a “Certified For Windows” application, with no real technical need at all!
What is Code Signing?
Code signing is a process which allows software publishers to use a certificate in order to “stamp” or sign code (usually program installers). This process imprints the publisher’s details onto the file so that when users use the file they can decide whether to trust the publisher and allow the content to run, or not.
When a publisher signs code, it is like applying a seal to it. It proves that the code hasn’t been tampered with, it shows who the code comes from, and only those with the correct signet ring or stamp can make the stamp.
Why use Code Signing?
The internet has made anyone with the right tools and aptitude into a potential software publisher. This means that a lot more hackers, script kiddies and novices can put their own “free” malware openly on the internet. People can release software, pretending it comes from someone else – or worse still, damage a company’s reputation by releasing fake spoofed software.
Users now have a way to determine if the software they have is trustworthy. The code signing “stamp” on the file is also broken if the file is modified without the publisher’s permission. By using only code signed installers, you know that the file is genuine and from whom it purports to be.
Although the use of certificates in computer security has been around for over a decade, Microsoft has created its own Code Signing technology, dubbed “Authenticode”. In order for a publisher to get on board with “Authenticode” to sign their software, they must purchase an “Authenticode” type certificate from one of Microsoft’s trusted partners.
The way certification authorities work is that Microsoft explicitly trusts a small group of privately-owned companies to only issue certificates to companies which have paid for and passed the security checks (usually checking business address, registration, contact details, etc). In this way, by signing your code with a certificate that has been obtained from one of Microsoft’s trusted group of partner companies – Microsoft Windows will acknowledge your certificate as potentially trusted and ask the user if they always want to install your software, never install, or to ask each time software from this publisher is run. For example:
The user can then click the link of the publisher to view pre-defined information about the publisher from the certificate.
If the unfortunate publisher could not or did not sign their file, you would see messages like the following:
The problem… The Microsoft “Certified For” Testing Racket
Creating your own certificates can be done by anyone – in seconds. Your own certificate containing a public/private key pair can be created by yourself in order to authenticate secure email, or used with PGP (Pretty Good Privacy) for file encryption.
The issue is that your own DIY certificate stamp isn’t sufficient. You need to be checked out first by one of Microsoft’s partners to see if they think you warrant a certificate (of course they will, they want your money after all). The CA’s provide a vetting service, checking the identification documents of whichever organisation wishes to obtain a certificate issued by a Trusted Authority. Microsoft calls these organisations, “Trusted Root Certification Authorities”, meaning that any certificate they issue is trusted (and hence, not hand made by Mr. Hacker).
Certificates can be purchased from any one of the companies on Microsoft’s “Trusted Root Certification Authorities” list:
The trouble is, getting one of these companies to make a certificate for you can be time consuming, and expensive.
My company is a proud Microsoft Partner. But there are things Microsoft do that are simply unethical. For example, preventing the certification of your software unless you hand over a bulk of unnecessary cash to the Verisign corporation. An Authenticode certificate from any of the other providers, (Thawte, Comodo, etc) simply won’t work – it has to be from Verisign. This is for business and not technical reasons. Anti Trust, anyone?
For example – compare the prices of an Authenticode certificate from these two providers:
Verisign: $499 / year (with discounts on multiple years to $431/year for a three year term) – standard code signing certificate
Comodo: $179 / year (with discounts on multi-year purchases).
What’s the difference? None. Except, you won’t be allowed onto the Microsoft “Certified For Windows” testing scheme until you’ve paid for the most expensive certificate. Even if your software doesn’t use it. I know… I’ve had to purchase both. Verisign took 3 weeks to process our certificate, they wanted to check all manner of business utility bills, phone numbers, test our fax machine and email before they would issue a certificate. Comodo issued a certificate immediately without any checks whatsoever. Comodo were also 3 weeks late in sending us our VAT invoice as apparently the support team was in hospital in January (talk about crazy excuses for a 250 person business!). Both vendors take immediate payment, however. Nice to see medium and large sized tech businesses screwing the smaller ones on price & service…
As a proud vendor of quality software, I of course want to put everything we make through the most rigorous testing procedures possible in the industry. Since we develop software for Microsoft Windows and Server platforms, it makes sense that our software is certified for use on the platforms for which it was designed.
In order for any vendor to test their software to Microsoft standards, it must be handed over to a third party testing organisation (e.g. Lionbridge) to be tested. It must also be code signed with a special code signing certificate, that has to be purchased from Verisign. We had been using our own in house code signing certificates up till this point. Needless to say, Verisign is the most expensive code signing provider in the market.
Also, since Microsoft released Windows Vista the fearsome warning messages about unsigned code have become even more prominent. These messages “warn” users about unsigned code. Some platforms may be configured to not allow any untrusted/unsigned code to execute. Any professional software development house will have its own certificate to sign its files or risk dealing with unnecessarily confused users, potential damage to business reputation, and lost downloads & sales.
What about customers?
There are benefits to using signed software. Obviously if Bob from next door wrote some software for you, it’s unlikely to be professionally code signed. However, you can probably trust Bob. If you download and install some software that purports to be from “Microsoft Corporation”, but on clicking the publisher link (see pictures above) you see that the certificate wasn’t issued by a trusted provider (Vista provides suitable red warnings for this), then it is obvious that the certificate is a spoof.
What do I suggest?
If you’re a software developer: Pay Comodo for a code signing certificate, but try to find an affiliate that provides them cheaper than the list price. They are out there – drop me a comment if you want a link to my preferred affiliate’s store. When and if you go for “Certified” testing, contact Microsoft and tell them what you think about having to purchase another certificate from Verisign.
If you’re a consumer/computer user: Because something is signed, does not mean that it is not dangerous. If software is signed, it doesn’t mean that the software is safe, tested, or anything like that. It may not even be a guarantee that the software is from who it says it’s from. Trust no-one, and only obtain your software from legitimate sources (not BitTorrent or P2P filesharing).
What needs to happen?
Either increased competition between the trusted root certification authorities or Microsoft needs to acknowledge that a freely available / cheap trusted code signer be made available for entry level Micro ISV’s. Certainly the security checks offered by the root certification authorities need to be policed. Comodo sent out our certificate moments after purchase, presumably without making any checks. Verisign took three weeks. I am not sure what Verisign were actually doing during this time. Your mileage with certification authorities may vary.
Code Signing isn’t the only segment Microsoft have wrapped up. They’re into SSL, Client Authentication, and Secure Email. You need certificates for all of these – with SSL certificates at around $1,000 per year (from Comodo for multi sub-domains) is it any wonder more and more hosting providers are moving away from Windows to cheaper Linux based hosting solutions and charging more for use of their SSL certificates?
This is not a free market with open competition.
What do you think? Let me know, drop me a comment!
Update:
Within a couple of hours of my post, I received the following anonymous message from someone at Verisign, claiming to be a Mr/Ms [email protected] (IP: 65.205.251.51 , gateway1.verisign.com).
Mr/Ms “Blah” Verisign said: “Please due your due diligence before commenting as there is a major difference between CA providers”, but Verisign neglected to mention in this poorly written comment what the actual “major” difference(s) between CA providers actually is/are.
It seems Verisign have a particularly close eye on the blogging community for any key words which might portray them in a bad light; how interesting!
However, my blog post concerns:
1. The high (often extortionate) cost of code signing certificates; given what they are.
2. The price difference between different certification authorities for code signing (authenticode) certificates.
3. The obscene practice of Microsoft/Microsoft’s third parties in insisting “Certified For” products must be code signed with a VERISIGN certificate (and not from any other CA).
There are some real issues here for the industry.
Can anyone shed any light on what Verisign claim are “MAJOR” differences between the CA’s (other than some CAs being a rip-off racket)?
Final word: Purchase your authenticode certificates from Comodo. Comodo are the most competitive CA for authenticode certificates that I think you’ll find!
Amen, brother! While the SSL racket has thankfully pretty much bottomed out due to increased competition, that simply hasn’t happened to the code signing market.
This trend really hurts individual developers. On the one hand, I like the idea of signing my hobby/freely distributed code so that I can ensure that my binaries have not been maliciously tampered with, such as with a trojan payload, thus preserving the integrity of my reputation and name. I can make up a certificate for myself–PKI has been around for years–but this still isn’t good enough to avoid the scary message. (We’re used to clicking “Accept this key for future sessions” when we SSH to a machine for the first time; what’s so wrong with a “always trust Nick from now on” option as well?)
So what happens with this red tape and expensive costs? Nobody really signs anything. Has anyone *ever* installed a signed Firefox extension? How many drivers tell you to click on that “Continue Anyway” dialog? And how many free utilities pop up the scary yellow warning in Vista? The only time that I encounter a signed installer is if it comes from one of the “big” companies. And I’m talking in generalities here, but I would bet that most people really don’t pay attention enough to notice the different between the yellow Vista dialog and the grey one.
Why? Since 80% (just throwing out a number) of binaries that everyday people use are unsigned, guess what has happened: regular people ignore these warnings. It’s just another OK button in the Next Next Next of software installation. By making obtaining code signing certificates so arduous and expensive, we’ve made them worthless, too, simply from a lack of their widespread use.
The real problem is that we are trying to munge the concepts of file integrity and trustworthiness into one certificate. Web SSL certificates tried to do the same thing, but it’s so easy to get a $20 SSL cert now that we can’t really say that they make any sort of statement of trust. Any phisher can get one. So why should we delude ourselves into thinking that Authenticode does the same, that it marks software as trustworthy in addition to being untampered? Just because it’s really expensive and hard to get, and only “big” companies (they *must* be trustworthy) have the ability to go through that process?
Ugh. I hate everything too =)
amen indeed!
we have run into the exact same scheme…those winqual mofos refuse to accept our komodo certificate, which is utter nonsense because windows itself and iexplorer, etc, are stating this certificate ‘is ok’. just another way of squeezing some money out of us…but i expect nothing less from those twerps at verisign, they have tried (and got away with) some nice tricks before innit?
http://www.dmoz.org/Society/Issues/Business/Allegedly_Unethical_Firms/Verisign/