Special

Introducing the “Welcome to Xojo” Bundle!

New to Xojo and looking for guidance? We've put together a terrific bundle to welcome you! Xojo Bundle

This bundle includes six back issues of the magazine -- all of year 17 in printed book and digital formats -- plus a one-year subscription (beginning with 18.1) so you'll be learning all about Xojo for the next year. It's the perfect way to get started programming with Xojo. And you save as much as $35 over the non-bundle price!

This offer is only available for a limited time as supplies are limited, so hurry today and order this special bundle before the offer goes away!

Article Preview


Buy Now

Issue 4.4

REVIEW

Microsoft Authenticode Digital ID

Issue: 4.4 (March/April 2006)
Author: Brian Rathbone
Article Description: No description available.
Article Length (in bytes): 4,135
Starting Page Number: 9
Article Number: 4405
Related Web Link(s):

http://www.verisign.com/

Full text of article...

Internet software delivery is wonderful and powerful, but there are many pitfalls and dangers waiting to snare the unwary. Software developers bear the responsibility of providing safe and secure access to their downloadable products. Microsoft Authenticode Digital IDs are one way of doing your due diligence.

Code signing may seem frivolous. After all, the most visible effect is that users who download your installers will not see a message warning them that the content may be unsafe. I've had folks tell me that the cost of the digital ID is too high just to eliminate a warning message, but I tend to disagree. Signing your installers will allow you to remain confident that your code has not been tampered with and that your users are not being put at risk.

In truth, if your website is the only place users can download your application, then the risk is minimal. More and more, however, the proliferation of software download sites makes this approach less practical. Many developers are taking advantage of the additional exposure these sites offer, and the bandwidth savings realized by having someone else host your files. The exposure can be a boon for your business, but it also presents new dangers for you and your users.

Let's say, for example, that you create a wildly popular application and make it available on a variety of software download sites. Joe Hacker is looking for a way to spread his latest malware. What better way than to include it in an installer for your popular application. One would like to hope that such a thing would, at the very least, be difficult, but it's not. It's easy--too easy. In a matter of minutes he can clone your installer or simply use one of the many free joiners available on the Internet. With just a little effort, he can make his installer look identical to your original installer--same size, date, icon, everything. Then he can upload it to popular download sites, and all your hard work and effort will be used to his advantage and your detriment.

At first, the reputation and popularity of your software will spread his malware like wildfire. That's when the really bad things start to happen. Suddenly you are to blame for spreading this latest digital scourge, and there is very little you can do to stop it. Your company can quickly become associated with the offending malware, and your reputation becomes permanently tarnished.

While REALbasic compiled executables cannot be directly signed, you can create an installer and sign it. You must find an installer package that supports digital signatures, which rules out many otherwise wonderful packages. A quick search will reveal a number of popular installer packages that do support digital signatures, some of which even integrate the signing process directly, preventing you from forgetting to apply your signature before uploading.

If your serious about targeting the Windows market, and you want to protect yourself and your users, a Microsoft Authenticode Digital ID from Verisign is highly recommended.

End of article.