Honest Software Security, or Highway Robbery?

There is a secretive battle being waged for control of the software on your desktop, and unless you’re working in software configuration or a Micro ISV, you probably aren’t even aware of it.

The battle is over code signing, and how software developers are held ransom by the code signing certification authorities (one in particular, see if you can figure out which!), to purchase expensive certificates, and in the case of developing a “Certified For Windows” application, with no real technical need at all!

What is Code Signing?

Code signing is a process which allows software publishers to use a certificate in order to “stamp” or sign code (usually program installers). This process imprints the publisher’s details onto the file so that when users use the file they can decide whether to trust the publisher and allow the content to run, or not.

When a publisher signs code, it is like applying a seal to it. It proves that the code hasn’t been tampered with, it shows who the code comes from, and only those with the correct signet ring or stamp can make the stamp.

Why use Code Signing?

The internet has made anyone with the right tools and aptitude into a potential software publisher. This means that a lot more hackers, script kiddies and novices can put their own “free” malware openly on the internet. People can release software, pretending it comes from someone else - or worse still, damage a company’s reputation by releasing fake spoofed software.

Users now have a way to determine if the software they have is trustworthy. The code signing “stamp” on the file is also broken if the file is modified without the publisher’s permission. By using only code signed installers, you know that the file is genuine and from whom it purports to be.

Although the use of certificates in computer security has been around for over a decade, Microsoft has created its own Code Signing technology, dubbed “Authenticode”. In order for a publisher to get on board with “Authenticode” to sign their software, they must purchase an “Authenticode” type certificate from one of Microsoft’s trusted partners.

The way certification authorities work is that Microsoft explicitly trusts a small group of privately-owned companies to only issue certificates to companies which have paid for and passed the security checks (usually checking business address, registration, contact details, etc). In this way, by signing your code with a certificate that has been obtained from one of Microsoft’s trusted group of partner companies - Microsoft Windows will acknowledge your certificate as potentially trusted and ask the user if they always want to install your software, never install, or to ask each time software from this publisher is run. For example:

The user can then click the link of the publisher to view pre-defined information about the publisher from the certificate.

If the unfortunate publisher could not or did not sign their file, you would see messages like the following:

The problem… The Microsoft “Certified For” Testing Racket

Creating your own certificates can be done by anyone - in seconds. Your own certificate containing a public/private key pair can be created by yourself in order to authenticate secure email, or used with PGP (Pretty Good Privacy) for file encryption.

The issue is that your own DIY certificate stamp isn’t sufficient. You need to be checked out first by one of Microsoft’s partners to see if they think you warrant a certificate (of course they will, they want your money after all). The CA’s provide a vetting service, checking the identification documents of whichever organisation wishes to obtain a certificate issued by a Trusted Authority. Microsoft calls these organisations, “Trusted Root Certification Authorities”, meaning that any certificate they issue is trusted (and hence, not hand made by Mr. Hacker).

Certificates can be purchased from any one of the companies on Microsoft’s “Trusted Root Certification Authorities” list:

The trouble is, getting one of these companies to make a certificate for you can be time consuming, and expensive.

My company is a proud Microsoft Partner. But there are things Microsoft do that are simply unethical. For example, preventing the certification of your software unless you hand over a bulk of unnecessary cash to the Verisign corporation. An Authenticode certificate from any of the other providers, (Thawte, Comodo, etc) simply won’t work - it has to be from Verisign. This is for business and not technical reasons. Anti Trust, anyone?

For example - compare the prices of an Authenticode certificate from these two providers:

• Verisign: $499 / year (with discounts on multiple years to $431/year for a three year term) - standard code signing certificate

• Comodo: $179 / year (with discounts on multi-year purchases).

What’s the difference? None. Except, you won’t be allowed onto the Microsoft “Certified For Windows” testing scheme until you’ve paid for the most expensive certificate. Even if your software doesn’t use it. I know… I’ve had to purchase both. Verisign took 3 weeks to process our certificate, they wanted to check all manner of business utility bills, phone numbers, test our fax machine and email before they would issue a certificate. Comodo issued a certificate immediately without any checks whatsoever. Comodo were also 3 weeks late in sending us our VAT invoice as apparently the support team was in hospital in January (talk about crazy excuses for a 250 person business!). Both vendors take immediate payment, however. Nice to see medium and large sized tech businesses screwing the smaller ones on price & service…

As a proud vendor of quality software, I of course want to put everything we make through the most rigorous testing procedures possible in the industry. Since we develop software for Microsoft Windows and Server platforms, it makes sense that our software is certified for use on the platforms for which it was designed.

In order for any vendor to test their software to Microsoft standards, it must be handed over to a third party testing organisation (e.g. Lionbridge) to be tested. It must also be code signed with a special code signing certificate, that has to be purchased from Verisign. We had been using our own in house code signing certificates up till this point. Needless to say, Verisign is the most expensive code signing provider in the market.

Also, since Microsoft released Windows Vista the fearsome warning messages about unsigned code have become even more prominent. These messages “warn” users about unsigned code. Some platforms may be configured to not allow any untrusted/unsigned code to execute. Any professional software development house will have its own certificate to sign its files or risk dealing with unnecessarily confused users, potential damage to business reputation, and lost downloads & sales.

What about customers?

There are benefits to using signed software. Obviously if Bob from next door wrote some software for you, it’s unlikely to be professionally code signed. However, you can probably trust Bob. If you download and install some software that purports to be from “Microsoft Corporation”, but on clicking the publisher link (see pictures above) you see that the certificate wasn’t issued by a trusted provider (Vista provides suitable red warnings for this), then it is obvious that the certificate is a spoof.

What do I suggest?

If you’re a software developer: Pay Comodo for a code signing certificate, but try to find an affiliate that provides them cheaper than the list price. They are out there - drop me a comment if you want a link to my preferred affiliate’s store. When and if you go for “Certified” testing, contact Microsoft and tell them what you think about having to purchase another certificate from Verisign.

If you’re a consumer/computer user: Because something is signed, does not mean that it is not dangerous. If software is signed, it doesn’t mean that the software is safe, tested, or anything like that. It may not even be a guarantee that the software is from who it says it’s from. Trust no-one, and only obtain your software from legitimate sources (not BitTorrent or P2P filesharing).

What needs to happen?

Either increased competition between the trusted root certification authorities or Microsoft needs to acknowledge that a freely available / cheap trusted code signer be made available for entry level Micro ISV’s. Certainly the security checks offered by the root certification authorities need to be policed. Comodo sent out our certificate moments after purchase, presumably without making any checks. Verisign took three weeks. I am not sure what Verisign were actually doing during this time. Your mileage with certification authorities may vary.

Code Signing isn’t the only segment Microsoft have wrapped up. They’re into SSL, Client Authentication, and Secure Email. You need certificates for all of these - with SSL certificates at around $1,000 per year (from Comodo for multi sub-domains) is it any wonder more and more hosting providers are moving away from Windows to cheaper Linux based hosting solutions and charging more for use of their SSL certificates?

This is not a free market with open competition.

What do you think? Let me know, drop me a comment!

$4,000 prize if you can fix HTC’s TyTN II driver issue

If you read my review of the TyTN II, you might be forgiven for thinking the device is god’s gift to business people and professional mobile users everywhere. Unfortunately, a problem has been discovered in all of the newer HTC model range which appears to be caused by broken or mal-engineered device driver software on the devices. Such a problem is technically fixable by a software update.

The site HTCClassAction.org is offering a $4,000 bounty for anyone who can successfully fix the poor graphical software of the TyTN II.

The company, “High Tech Computers” (HTC), a Taiwanese Microsoft Partner who are market leaders for creating the most powerful handheld devices on the marker have been under fire lately from websites and blogs claiming that the manufacturer “neglected to include the necessary drivers needed for the devices to come to their full potential”.

The main complaints surround the poor graphical performance of the HTC TyTN II. Specifically, laggy web page scrolling, choppy 3D rendering in GPS software such as TomTom and the inbuilt camera.

The HTC TyTN II itself is an awesome device, with impressive overall specifications, including (as I reported earlier), a built in graphics chip using the Qualcomm MSM 7200 chip. However, for the hardware to work to its full potential, the software manufacturer (in this case, HTC) first needs to load the correct “drivers” onto the device to handle putting graphics onto your screen. This makes the HTC TyTN II feel, at times, unresponsive.

Ironically, older devices don’t have this problem - as one user demonstrates on a YouTube video:

Magician (left) = old device with proper driver
TyTN II (right) brand new device with inadequate/broken drivers

Business users might not encounter such problems as the device is more than capable of checking email, and light web browsing. However graphical performance is compromised for games and the device doesn’t feel as responsive as it should do.

If you have a TyTN II, consider contacting HTC to let them know that you want updated drivers. Click here for more information.

Confirmed Affected Devices (list copied from HTCClassAction.org)

• HTC TyTN II (MSM7200), also known as:

  • HTC Kaiser

  • T-Mobile MDA Vario III

  • AT&T Tilt

  • Vodafone v1615

• HTC Touch Dual (MSM7200), also known as:

  • HTC Nike

• HTC Touch Cruise (MSM7200), also known as:

  • HTC Polaris

• HTC Wings (MSM7200), also known as:

  • HTC S730

• HTC Titan (MSM7500), also known as:

  • Sprint Mogul PPC-6800

  • Verizon XV6800

• HTC Vogue (MSM7500), also known as:

  • HTC Touch P3050 (this is not the normal HTC Touch)

  • Sprint Touch

  • Verizon Touch XV6900

• HTC Libra (MSM7500), also known as:

  • HTC S720

• HTC Iris (MSM7500), also known as:

  • HTC S640

Further Reading

• HTCClassAction.org - “Because HTC dropped the ball, and it’s about time they pick it up!”

• Engadget - “Driver trouble makes angry mobile owners rush castle HTC with burning torches”

• Wireless Week - “Smartphone Owners Unite Over Performance Issues”

• MSMobiles - “HTC phones have performance issues”

• WMExperts - “Possible HTC Driver Issue Spurs User Activism”

• TheRegister - “Peeved HTC smartphone owners offer bounty for driver fix”

• TheInquirier - “HTC owners up in arms over graphics”

Conclusion

If you’re after a PDA business phone, to check email, browse the internet, play a few ’simple’ games and use as a superfast 3G data modem for your laptop, or to play back wmv or .3gp movies - the TyTN II is still a very good choice. What needs to happen here is that HTC pick up the ball, and release a patch to fix the drivers for the QualComm chipset in the affected PDA’s. Within 12 months of the Apple iPhone launch, the iPhone Safari browser (although slower than a dialup modem) is already responsible for 1% of all web browsing, thanks in part to the sheer usability and strong hardware performance and strong driver support at Apple for their own device. Let’s hope that Microsoft see the problem and have a chat with their hardware partner!

I’m sure Steve Jobs is watching this hardware manufacturer integration fiasco and rubbing his hands with glee!

Is your device underperforming? Please let me know in the comments section.

.NET Source Code now available for VS2008 users

Last October, Microsoft promised the release of source code for .NET developers to download and browse the .NET Framework and hence debug their applications built on top of the framework more easily.

Previously, when debugging .NET code, only the granularity of a method call or object instantiation was available. Now the call stack can load the symbols to let you step into the .NET code for almost all the .NET classes and methods in your application. This ability is only available for Visual Studio 2008 users.

To get started, either download and install the symbols directly from Microsoft (location to be announced), or enable automatic symbol download from Microsoft by providing the http location within the Options dialog as shown below:

It is now possible to debug .NET applications much further than was previously possible.

However not all the namespaces of the .NET Framework are available to debug in this way, and the .NET Compact Framework still isn’t (at all). So there’s still plenty of work to do. So thankyou, .NET Framework team, and keep up the good work!

Thank you to Richard D for the heads up on this news

Sources:

http://weblogs.asp.net/scottgu/archive/2008/01/16/net-framework-library-source-code-now-available.aspx
http://weblogs.asp.net/scottgu/archive/2007/10/03/releasing-the-source-code-for-the-net-framework-libraries.aspx

« Previous Page — Next Page »