I wanted to compare the Everything Report in the new version of Behold that I am working on to the most recent release. I needed to install the older version on my new computer so I went to Behold’s Download Page to install it from there. I clicked on the download link, selected Run, waited for the loading, and then got a nasty surprise:
Up popped a window titled: “Internet Explorer - Security Warning”. In the window was: “The publisher could not be verified. Are you sure you want to run this software?” Then there was a scary red “X” graphic and beside it: “This file does not have a valid digital certificate that verifies its publisher. You should only run software from publishers you trust.” Then there were two buttons: “Run” and “Don’t Run”.
So instead I downloaded the file to my machine first, and I was even more surprised that the same Warning window still popped up when executing the downloaded file. This was a much scarier message than the Warning from Windows 98 which was more generic and only said that some files can harm your computer - do you still want to run this file?
After spending time researching on the Internet what this is all about, I found out that starting with Windows XP SP2 Microsoft added extra security measures that produce the Warning box. I am sure many of you received this message when you downloaded Behold. Many of you chose to “trust” me and install it despite the message. But I wonder how many people decided not to.
What Microsoft is trying to do is to make things safer for you. If I sign my code, then it will verify to you that it is from me and that it has not been modified since I produced it, meaning no viruses or trojans or spyware was added by a third party. What Microsoft did is get other companies to be the security agents. You’ve probably heard of Verisign and maybe Thawte who Plimus uses (see my Buy Now page). It turns out there are only a few companies that certify code. I ended up selecting Comodo because they seem to cater to smaller clients better. I got great customer service from them and signed up and had my identity verified in less than an hour.
So what I’ve now done is integrated this code signing into Behold, verified by Comodo. The Scary Warning message is replaced with a more acceptible “Do you want to run this software? Name: Behold Setup. Publisher: Louis Kessler”. The red “X” graphic is now a yellow “!” that is a bit more polite about what it says than it did in the other message.
Behold’s download page now has a couple of lines at the bottom to indicate that the download files are digitally signed.