>If MS was serious about this only being for security they could issue the certificates for free and prove me wrong.
Make it too easy, and the scamware software will just get a free cert and sign apps.
It takes some amount of effort, possibly by a human, to approve you to receive a cert.
Even the "free" certs I've applied for have taken time and human interaction on the side of the registrar, and I'm certain those certs are offered as loss-leaders for their other products.
I'm unfamiliar with many of these certificates, but is there any reason such 'scamware' woudln't be able to get one even though it costs money? Because, if they still can, they the whole certification business definitely seems like a big scam to me.
The certificate authority should revoke their signing certificate if their binary is found to contain malware, returning them to the big warning state.
Okay, "free" was poor phrasing. I should have said "no extra charge". Compare this to the situation described in the original article, where the developer had to buy a separate $59 certificate from a third party, on top of what Microsoft charges you for Visual Studio (which looks to be $499 for the cheapest non-evaluation version).
Express isn't an evaluation version. Also, it's trivially easy to get setup with BizSpark if you're a small startup and get free copies of Visual Studio.
No mobile apps, no conventional desktop apps, no command line apps... looks pretty "evaluaty" to me. Also: "private developers will have to pay $49 a year, corporations $99 a year."
So, on the one hand we have (from Apple):
Xcode (free or $5.00, depending on what kind of mood Apple is in that week)
Developer program with store access: $99/year
Code-sigining certificate: included.
From Microsoft we have:
Non-crippled Visual Studio: $499
Developer program with store access: $49-$99/year
Code-signing certificates: must be purchased separately from a third party.
Sorry, but Microsoft backpedaled after the bad press. You can download Windows 8 development tools for free now. [1]
Your info about "no command line apps" is also outdated. It USED to be true, but I have VS2010 Express, and it came with the command line tools:
c:\Devel\Msdev.2010\Common7\Tools>vsvars32
vsvars32
Setting environment for using Microsoft Visual Studio 2010 x86 tools.
c:\Devel\Msdev.2010\Common7\Tools>cl
cl
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.
usage: cl [ option... ] filename... [ /link linkoption... ]
c:\Devel\Msdev.2010\Common7\Tools>
I also use XCode, and it's ... not nearly as good as Visual Studio, though I am liking the new Eclipse-like "compile your code as you're typing it" real time error markup. A friend tells me that XCode can be configured to be sane, but I haven't given it a try yet.
Some combination of distributed notaries, warning for unusual certificate conditions (e.g. certs changing when they have lots of time until expiration -- Dear Google, please stop doing that), and other ideas.
When given the option to choose who to trust, the vast majority of users will stay with the defaults, which are chosen by Google, Microsoft, and Mozilla. That's not fundamentally different from what's currently in place.
Tack is much more interesting. I'm too sleepy to fully understand the proposal, but what I've gathered so far looks promising.
It could be structured based on kittens and be at least as secure. I could steal a guys wallet, copy his id, slip it back or just throw it out, buy a certificate, slip virus laden software and it would get a huge seal of approval.
That's not much of an argument. It's not very easy to mug someone from Nigeria. Eliminating a remote attack is a big deal.
Of course, the sheer number of certs given out guarantees that some bad guys will be able to get one using fake id. But the point is to make malware rare and easier to investigate, not to eliminate it completely.
Most people care less about assurance and more about encryption. I.e., unless you're subject to a MITM DNS attack, you're a lot less likely to be directed at the wrong paypal.com than you are to say, have your password sniffed off the wire, or by a keylogger on the local machine.
And that identity assurance is where most of the scam comes in. Encrypting communication securely is dead simple (from an implementation standpoint - pick a cipher and go), making sure server X actually represents who they say they do, that's a whole different can of worms.
Many users have figured out that if they click the OK button (or maybe the Cancel button), the dialog goes away. In this case, they know that they get what they want (downloaded file) if they hit the right buttons; they've probably hit exactly this before, on innocuous programs, and don't trust the warning messages.
Or we might just have a bunch of reasonably-savvy users that have realized that lack of a signature is not the same as untrustworthy software.
Racketeering indeed! I am sure that was the goal of the SmartScreen filter in IE. Cert vendors and MS must have colluded to add this feature so that developers of all binaries are forced to buy certs. Right?
I'm sure a large part of the reason Microsoft wouldn't offer it for free is that, at the time, any effort on Microsoft's part to enter a new market off the back of an existing market would be scrutinized pretty heavily by the DOJ. They couldn't even add virus scanning functionality to Windows because of anti-trust concerns.
He said "at the time", which I guess refers to the difference between Smartscreen's release which was apparently 2006 with IE7; and MSE's 2009 release.
"that is some nice software you have there, would be a shame if users thought it was dangerous"
"pay a little money to one of these approved companies and that warning will go away"
If MS was serious about this only being for security they could issue the certificates for free and prove me wrong.
On the other hand, why is it that about 20% of users click past BOTH of these EXTREEMLY scary warnings? Don't they read them at all?