Ok, maybe the title came across a bit too strong. I actually really like the idea of executable packages being signed so I know where/who they came from. And for device drivers I can see why they have effectively made it mandatory.
But this last week I ran into a major road block with the Windows 8 smart screen filtering. Supposedly this is to keep me safe. I can even buy that requiring an installer to be signed so you know where it comes from implies a greater degree of reliability.
I have a software package that has been shipping for years, has always been signed, and now our digital certificate has expired and been renewed. For some reason, Microsoft has decided that this must mean that our software is untrustworthy. They have conveniently provided us with the opportunity to purchase a more expensive certificate for signing (EV code signing) that will let us me immediately trustworthy.
But when we tried to go down that road, we ran into all kinds of road blocks. The EV certificate has to be on a hardware token, cannot be used on an Amazon EC2 instance (or any other cloud based machine), and it also cannot be used on a VM of any kind (they informed me that this was a “security feature”). So my only option is to purchase dedicated hardware for the relatively rare situation where I need to perform a publically released build.
It feels like so-called security companies don’t have a clue about usability. The down side of this is that the more they make security unusable, the less it will be used. There is a huge human factor to security that they just don’t want to admit exists.
It also feels like Microsoft is just trying to help generate revenue for signing certificate providers. If we have proven our identity, and created a reputation for our existing certificate, then the fact that we have to renew our certificate shouldn’t be a cause for lowering our reputation. Rather, Microsoft needs to provide a way for our reputation to migrate to the renewed certificate.
And now some more to add to the drama. Apparently the hardware token I have will not allow itself to be used if I am connected over Remote Desktop. Again, the provider tells me this is a “security feature”. So my options are to provide physical access to the secure server room, or move the signing machine to my desktop, which basically provides physical access to the server for anyone. (It also would mean the token sits on my desktop where anyone can take it and use it.) Aaarrrggghhh!
Jeremy , if you left your person PC wild open to anyone who can access . without any protection .e,g password creditental , then it is your personal issue rather than the EV code signing process issue. also the EV token is password protected , which means you cannot use the token to sign without knowing the token password . Of course if you give that password to anyone who do have access to your PC ,then its your personal issue again.
@Eric, all valid points. However, I still think that there is sometimes a disconnect between security and usability. Yes, my PC is more secure if it’s in a locked room where noone else can access it. But I work at a company where there is an open seating arrangement, which means I don’t have that option. My solution was a VM in a secure closet, but the EV token people have decided that’s not secure. Secure passwords are also very important, but the reality is that nobody will follow the best practices of a different, highly-secure password for each resource. Why? Because people can’t remember all those passwords.
So nothing you said is wrong, but I still think security experts need to spend more time with usability. All the security in the world won’t help you if it’s too cumbersome to use. Thanks for stopping by!