Dancing Bunnies or Why I'm not going to use signed installers

Posted on:July 18 2012

Recently, developers noticed that Microsoft introduced a new 'feature' in Internet Explorer 9, named 'Smart Screen Filter'. In most cases, it manifests as annoying and scary looking popups which appear after you downloaded some program from the Internet, telling you that this particular program is evil. This 'smart' screen filter simply checks if the binary has been signed, and if not, it apparently checks if the program is very, very popular at least. If both of this isn't true, and this is the case for 90% of all programs, it tells the user that the program is probably harmful. For people downloading my WebGL 3D editor CopperCube, it looks for example like this (german version):

If you want to run the just downloaded installer, you need to click through two very scary popups, and they even try to hide this option for you, putting the 'run anyway' option under the obscure 'Actions' button.
So, as developer who wants people to actually use my software, the only apparent way to circumvent this harassment is to buy a certificate (usually this costs 100$ dollar a year and involves some senseless bureaucratic phone calling) and sign the binaries with it. Of course, for the end user, this doesn't change anything, there is no reason why a malware or virus developer couldn't do this as well. And unsurprisingly, most people searching for Smart Screen Filter in Google, are apparently looking to 'turn off' and 'disable' this thing. :)
But in contrast to some fellow developers, I'm not going to anything about it. Here is why:
This new filter currently annoys the crap out of the users. Instead of trusting IE9, telling them that the program they downloaded is evil, they find ways to get the program anyway. Either they find the hidden option to run the program anyway, find ways to disable that filter, or they even simply start using another browser. Some users even sent me a support mail, asking me how to get the software, and they were happy to install Chrome after I told them to.
So as developer, instead of supporting this senseless security 'feature', I'm simply not using signed binaries and training people to ignore these warnings. It's the 'dancing bunnies' problem again: If people want to see it, they will get it, it doesn't matter if you throw obstacles and warnings to them. And it is good that way. If your operating system is designed to be able to harm itself, then fix your operating system, do not try to prevent the user installing stuff on it.


I actually think signing your code is a good idea, and I like that someone else can't put a hacked package online and claim it came from me. Sure, a virus writer could register their own signing ID, but they're not likely to provide proof of address, and they're not going to be able to pretend to be me (if the checks are reasonable). Their cert can easily be shut down if found to be being used to distribute malware too.

So I think it's a bonus for corporate devs, for whom $100 a year and a morning of set up time isn't a big deal. However, it IS a pain in the ass for open source / hobby projects.
2012-07-18 12:55:00

"I like that someone else can’t put a hacked package online and claim it came from me"

You assume that the user will know to inspect the certificate and check that the details match the details of the publisher they were expecting. In reality they click whichever button is closest to "yeah, whatever" and get on with infecting their machine.

These sort of security measures do far more harm than good in the long run. By making the user click through the dialog for the majority of their downloads, they're training the user to ignore it (how often do you think users confirm the details on the UAC prompts for example?). This then combines a false sense of security with a lack of attention - the recipe for disaster.
2012-07-18 14:42:00

signing you say? SHA1 checksums work much better than any signing retardation. i hate driver signing in windows, it limits people. f**k the corporations rly..
2012-07-19 09:56:00

IE was written by Satan
2012-07-19 18:32:00

If IE really was written by Satan I would expect it to be sexier, in a way.
2012-07-20 09:38:00

SHA1 checksums don't confirm the publisher - a fake version of a software package will match the checksum that the fake distributor tells you about :P
2012-07-20 19:19:00

Add comment:

Posted by:

Enter the missing letter in: "Internationa?"




Possible Codes

Feature Code
Link [url] www.example.com [/url]
Bold [b]bold text[/b]
Quote [quote]quoted text[/quote]
Code [code]source code[/code]