I'd love to hear how this isn't grounds for a product disparagement lawsuit. Are any attorneys familiar with SmartScreen Filter?
A couple of relevant points that may be overlooked:
1) Signing your code, even with an expensive class-3 Authenticode certificate from Verisign that allows you to sign kernel drivers, is no guarantee that IE will not accuse you of distributing potential malware.
2) Contrary to various postings by Microsoft, there appears to be no avenue for appealing IE's poor judgement calls. This happened to me a few months ago -- again, with a signed .exe -- and all of the links on microsoft.com that I followed to submit my download to a whitelist went nowhere useful.
3) Mentioned in the article but worth emphasizing: the ridiculous "This application is not commonly downloaded" criterion almost seems designed to penalize smaller vendors who release frequent updates.
This SmartScreen bullshit is one of those cases where if you're not outraged, you're either not paying attention, or you're profiting from the scam somehow.
Do you have a better idea? Signature-based malware scanning is a joke and a half. I know CA"s can be gamed but unless you're proposing a better solution then don't complain.
Yes; they can do what they're doing now, but drop the scary language. Scaring users with non-specific threatening language does not enlighten them.
Since it's almost unheard-of for malware to be signed with a legitimate, unrevoked certificate, they could also afford to give signed executables much greater leeway when deciding what to report to the user. People seem to be assuming that signing the .exe is enough to keep the dire warnings from appearing. That is not the case, or at least it wasn't the case a few months ago.
Finally, they can provide a standardized method for whitelisting URLs (and not individual executables) instead of what they're doing now, which is apparently nothing.
They are giving signed EXEs much greater leeway, since the publishers is verified by a CA, providing a secure base on which the publisher's reputation is determined.
So what's better? The App Store model, where you pay 30% + $99/year to sell your apps? Or paying for a certificate to prove your software's originator identity? Even OSX will likely soon make buying outside the Mac App Store cumbersome. About the only "free" market is Android or the Web.
I suppose if you're selling to the Windows market, the App Store will be required in a few years as Metro becomes the dominant Windows UI (and Metro apps have to be sold in the Microsoft App Store).
Certification costs money, and certification is a thing in many industries. I notice nobody is banging pots about ASE certification for automotive techs?
I mean, it's true, there is a difference here- the active "This software isn't certified" notification- but is that a critical distinction?
1. Dev checks out his site using IE
2. Dev realizes that IE users were getting scary warnings about his software
3. Dev has to pay up money to a third company to make the scary warnings go away.
Seems like a bad state of affairs to me.