Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows SmartScreen warning #300

Open
dexX7 opened this issue Mar 10, 2015 · 3 comments
Open

Windows SmartScreen warning #300

dexX7 opened this issue Mar 10, 2015 · 3 comments

Comments

@dexX7
Copy link

dexX7 commented Mar 10, 2015

On Windows 8.1 and Windows 10 TP a SmartScreen warning is fired for Omni Core. Some browsers furthermore appear to show download warnings.

smart-screen-warning

This is the default behavior I observed on several fresh systems.

Trust needs to be gained, so this is no surprise. The process however is a bit fuzzy and reputation appears to be build over time, based by user behavior, whether applications are flagged as malicious or not, [...] Providing signed files seems to play a signitifant role.


It looks like a shortcut exists to gain instant reputation, to quote:

Programs signed by an EV code signing certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists for that file or publisher. Other factors are considered when generating reputation and determining product experiences and EV-signed programs will be closely monitored over time.

http://blogs.msdn.com/b/ie/archive/2012/08/14/microsoft-smartscreen-amp-extended-validation-ev-code-signing-certificates.aspx

Microsoft accepts standard code signing and extended validation (EV) code signing certificates from Symantec and DigiCert.

To my surprise actually, extended code signing even requires the use of a hardware token generator as second authentication factor. The certification comes at the cost of $449.00 (DigiCert) to $795.00 (Symantec) for 1 year plans:

General information:

Also interesting and related:

@zathras-crypto
Copy link

Thanks @dexX7 - as you say I believe as more and more users download we would gain trust - probably just enough right at the point we release a new version and the whole process begins anew :p

For the time being I guess users will need to override this - I don't think our target audience is non-technical users and overriding 'assumed malicious' downloads must be fairly common knowledge by now seeing as the trend in the security space has reversed approach to "whitelist known good stuff" instead of "blacklist known bad stuff" (ie security software assumes it's bad until proven otherwise).

@zathras-crypto
Copy link

P.S. I take more of a conspiracy theorist view hehe - by automatically flagging any new (call it unknown but it's pure marketing semantics) software (not suitably signed as per above) as "potentially malicious" you effectively push the majority of developers through a grandfathering process to the Windows App Store deployment where your app will be "verified" and "you'll have none of these problems" related to warnings of malicious content.

Long story short - deploy software to your users the 'traditional way' and Microsoft gets nothing, deploy via Windows App Store and Microsoft get 30%.

EDIT: Sorry sounds like a rant hehe - I just have a chip on my shoulder about desktop computing being the last bastion of computing where freedom still reigns and what software you are able to run is not decided for you by Apple/Google/Microsoft. :)

@dexX7
Copy link
Author

dexX7 commented Mar 11, 2015

Haha, don't get me wrong, this is no attempt to push Omni Core into the MS App Store, but I mentioned it, because the criteria are well defined and where I was basically getting: what gets into the App Store has no SmartScreen warning, therefore this may be helpful to get rid of the warning. ;)

I stopped at this point, to dive into the app crash error, but it's probably worth to gather more information how "reputation" can be gained, e.g. if it's possible at this stage, whether we'd need to seperate further from the orginal Bitcoin Core, ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants