This trend really hurts individual developers. On the one hand, I like the idea of signing my hobby/freely distributed code so that I can ensure that my binaries have not been maliciously tampered with, such as with a trojan payload, thus preserving the integrity of my reputation and name. I can make up a certificate for myself–PKI has been around for years–but this still isn’t good enough to avoid the scary message. (We’re used to clicking “Accept this key for future sessions” when we SSH to a machine for the first time; what’s so wrong with a “always trust Nick from now on” option as well?)

So what happens with this red tape and expensive costs? Nobody really signs anything. Has anyone *ever* installed a signed Firefox extension? How many drivers tell you to click on that “Continue Anyway” dialog? And how many free utilities pop up the scary yellow warning in Vista? The only time that I encounter a signed installer is if it comes from one of the “big” companies. And I’m talking in generalities here, but I would bet that most people really don’t pay attention enough to notice the different between the yellow Vista dialog and the grey one.

Why? Since 80% (just throwing out a number) of binaries that everyday people use are unsigned, guess what has happened: regular people ignore these warnings. It’s just another OK button in the Next Next Next of software installation. By making obtaining code signing certificates so arduous and expensive, we’ve made them worthless, too, simply from a lack of their widespread use.

The real problem is that we are trying to munge the concepts of file integrity and trustworthiness into one certificate. Web SSL certificates tried to do the same thing, but it’s so easy to get a $20 SSL cert now that we can’t really say that they make any sort of statement of trust. Any phisher can get one. So why should we delude ourselves into thinking that Authenticode does the same, that it marks software as trustworthy in addition to being untampered? Just because it’s really expensive and hard to get, and only “big” companies (they *must* be trustworthy) have the ability to go through that process?

Ugh. I hate everything too =)

Within a couple of hours of my post, I received the following anonymous message from someone at Verisign, claiming to be a Mr/Ms blah@blah.com (IP: 65.205.251.51 , gateway1.verisign.com).

Mr/Ms “Blah” Verisign said: “Please due your due diligence before commenting as there is a major difference between CA providers”, but Verisign neglected to mention in this poorly written comment what the actual “major” difference(s) between CA providers actually is/are.

It seems Verisign have a particularly close eye on the blogging community for any key words which might portray them in a bad light; how interesting!

However, my blog post concerns:

1. The high (often extortionate) cost of code signing certificates; given what they are.
2. The price difference between different certification authorities for code signing (authenticode) certificates.
3. The obscene practice of Microsoft/Microsoft’s third parties in insisting “Certified For” products must be code signed with a VERISIGN certificate (and not from any other CA).

There are some real issues here for the industry.

Can anyone shed any light on what Verisign claim are “MAJOR” differences between the CA’s (other than some CAs being a rip-off racket)?

Final word: Purchase your authenticode certificates from Comodo. Comodo are the most competitive CA for authenticode certificates that I think you’ll find!