Two weeks ago I had a meeting with Marleen and I wanted her to install a software upgrade on her home computer. Man, what a horrible experience was that! It seemed like Internet explorer and all kind of virus scanners had unleashed war against all malicious software that originates from the internet. Not a bad thing, except that I almost felt like a criminal when I saw all those big red warnings appearing on screen telling the user that the software is probably unsafe and that you must be really stupid if you ever wanted to run this software. Because I trust myself, I clicked my way through all those warnings but I realized that this was going to be a big issue if I wanted my software to be downloaded and used. So I went looking for a solution.
The solution comes from a digital signature that I must add to all software that I want you to download from the internet. The signature tells you that the software was published by
Amberes IT Consultants bvba, which is the legal name of my company (it is not 'Gymnastics Software', I wouldn't be able to pay my bills from that). The signature comes in the form of a certificate and I had to buy it from a
certification authority who did a background check on my company before they agreed to sell me a certificate. Now every time I put new software on my website, I add the digital signature to it, so that your web browser and antivirus software can verify that the software really comes from me, and was not hacked.
Knowing that the software was written by me, is one thing. Knowing that the software will not harm your computer is another thing. After all, every hacker can get himself a certificate (would not be smart, because the certification authority would know where he lives). Therefore, Microsoft introduced in Internet Explorer 9 a technology called 'reputation'. Every certificate (or digital signature) that is used to sign software on the internet, receives a 'reputation' score. This reputation score is incremented when more people start downloading software that was signed with it, and also when virus scanners report that the software contains no virusses or other threats. This means that from now on when you download new software from my website, you will be notified that the publisher is known as 'Amberes IT Consultants bvba', but that the software is not commonly downloaded and potentially harmfull. This warning will eventually disappear in the future when more and more people start downloading the software and virus scanners report back to Microsoft that software signed by 'Amberes IT Consultants bvba' never contains viruses.
To show you the different user experience between signed and unsigned software downloads, I placed screen captures from Internet Explorer 9 for unsigned downloads and signed downloads (the first picture is always the unsigned software):
First you have to tell whether you want to save or run the file. The browser has not downloaded anything yet, so it doesn't known if the file is safe or not: no difference in warnings between the two files. (www.gymnastics-software.com is hosted on my companies web site www.amberes-it-consultants.com)
In both cases I clicked [Run]. After downloading the file, you can notice the first difference. The message is the same: the file has a low reputation score, so be cautious. The difference between signed and unsigned files is in the color of the warning window: red versus orange.
On my pc runs Norton Antivirus, and it immediately scans the file. Again there is a difference between the outcomes of the scans:
To install the software, we must click [Actions]. That brings us in both situations to the same dialog box. I must admit, in neither case you are encouraged to run the software. At least you get to see the name of the publisher in the signed download: 'Amberes IT Consultants bvba'
We must click [Extra Options] before we can launch the software, and again little difference here:
If I click [Run Anyway], internet explorer launches the software. The signed software actually starts installing. The unsigned software still must pass the virus scanner and a terrifying window appears trying to convince you not to run the software.
A long blog post to tell you that from now on, our software will be signed, and hopefully in the near future the reputation score will be high enough so that internet explorer will immediately recognizes our software as safe.
Tom