Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates


Today two Certificate Authorities (CAs),
Symantec
and
DigiCert
, announced the introduction of EV code signing certificates.
Their announcement is a positive development for users and businesses because it
helps both sides reduce fraud and increase trust. We want to provide some more details
about what this means for Microsoft’s SmartScreen and the Windows 8 application
ecosystem in general.

Windows Store & Windows 8 Apps

The introduction of the
Windows Store
and
Windows 8 Applications
will be a significant opportunity for developers
to distribute and monetize their applications. Windows 8 Applications are required
to pass the Windows Store developer onboarding and application review process. This
process is designed to give users confidence in the safety of their purchase while
also making the install process as frictionless as possible. Windows 8 applications
are not in scope for SmartScreen Application Reputation checks or warnings – these
apps are reviewed, code signed, licensed & distributed by the Windows store
directly.

Desktop Apps

Desktop applications remain an important part of the Windows experience and Microsoft
remains committed to the safety of the desktop experience and our users. We recognize
that Internet Explorer (IE) isn’t the only way users download applications from
the Internet, so Windows 8 now uses SmartScreen to perform an application reputation
check the first time users launch applications that were downloaded from the Internet.

This evolution of SmartScreen from IE-only to system wide is a significant improvement
for Windows users. We have seen incredible results with this feature in IE9 (more

here
&
here
). Hundreds of millions of users have avoided malware infections
due to these new experiences and we’re happy to bring this protection to Windows
users, regardless of browser choice. For more details on the IE9 application reputation
feature and the data models read this
post
. For more information on security & safety features in Windows
8 (including Windows SmartScreen) read this
post
.

The deeper integration of SmartScreen Application Reputation also means that desktop
app developers have an additional motivation to sign their code and establish reputation.
We’ve talked in the past about the importance of digitally signing code for both
establishing reputation and proving the authenticity of programs. I’m happy to say
the development community has responded to this call to action. Since the release
of SmartScreen Application Reputation in IE9 we’ve seen a 10% global increase in
signed downloads, from 73% at IE9 RTM to >83% today.

As we’ve discussed in the past, SmartScreen builds reputation for both individual
programs and for the certificate used to sign that code. Code signing is important
to our reputation intelligence because this higher level identity allows us to build
reputation across multiple programs signed by a publisher. It is also important
for publishers because signed programs inherit the reputation of the certificate
with which they are signed; this means every program a publisher distributes doesn’t
need to build reputation individually.

EV Code Signing

Today we are announcing our support for an important advance in code signing – the
availability of EV code signing Certificates. We’re also announcing that EV code
signing certificates will integrate with the SmartScreen Application Reputation
technology in Internet Explorer 9, Internet Explorer 10 and in Windows 8.

Microsoft has been working with the CA industry over the past year to help make
EV code signing certificates available. This code signing standard has a couple
of key advancements from a safety and identity perspective. First, they require
a more rigorous vetting and authentication process similar to that of EV SSL certificates
that are in use today. This process requires a comprehensive identity verification
and authentication process for each developer. Secondly, the EV code signing certificates
require the use of hardware to sign applications. This hardware requirement is an
additional protection against theft or unintended use of a code signing certificate.

Programs signed by an EV code signing certificate can immediately establish reputation
with SmartScreen reputation services even if no prior reputation exists for that
file or publisher. Other factors are considered when generating reputation and determining
product experiences and EV-signed programs will be closely monitored over time.
We think the improvements in the vetting and security of these certificates are
a great development for both users and developers.

Starting today, EV code signing certificates are now being issued by
Symantec
and
DigiCert
, and the integration with SmartScreen is already live (IE9,
IE10 & Win8).

Detractors may claim that SmartScreen is “forcing” developers to spend money on
certificates. It should be stressed that EV code signing certificates are not required
to build or maintain reputation with SmartScreen. Files signed with standard code
signing certificates and even unsigned files continue to build reputation as they
have since Application Reputation was introduced in IE9 last year. However, the
presence of an EV code signing certificate is a strong indicator that the file was
signed by an entity that has passed a rigorous validation process and was signed
with hardware which allows our systems to establish reputation for that entity more
quickly than unsigned or non-EV code signed programs.

Best Practices

Developers should still follow the best practices we’ve suggested in past blog posts.
We have added to that guidance the additional options of distributing apps thru
the Windows Store and the option of EV code signing:

  • Distribute your apps through the Windows Store
    Windows 8 Applications are required to pass the Windows Store developer onboarding
    and application review process. Windows 8 applications are not in scope for SmartScreen
    application reputation checks or warnings in Windows 8.
  • Digitally sign your programs (Standard or EV code signing)
    Reputation is generated and assigned to digital certificates as well as specific
    files. Digital certificates allow data to be aggregated and assigned to a single
    certificate rather than many individual programs. Although not required, programs
    signed by an EV code signing certificate can immediately establish reputation with
    SmartScreen reputation services even if no prior reputation exists for that file
    or publisher. EV code signing certificates also have a unique identifier which makes
    it easier to maintain reputation across certificate renewals. Only Authenticode
    Certificates issued by a CA that is a member of the Windows Root Certificate Program
    can establish reputation.

    At this time,
    Symantec
    and
    DigiCert
    are offering EV code signing certificates.

  • Don’t sign or distribute malicious code
    Distributing code detected as malicious will remove the reputation from a file and
    also any reputation from the associated digital certificate – even if signed with
    an EV code signing certificate.
  • Apply for a Windows Logo or Windows 8 Desktop App Certification
    Learn more about these programs here:

We’re pleased with the announcement today of the availability of EV code signing
certificates and we’re also happy to be able to bring SmartScreen Application Reputation
to a new set of Windows users soon with Windows 8.

—Jeb Haber, Lead Program Manager, SmartScreen

Comments (21)

  1. Eric says:

    Please, can someone from microsoft confirm when ie10 RC will be released in windows 7

  2. George says:

    @Eric – There is no such thing as IE10 RC for Windows 7. The RTW version of IE10 for Windows 7 will probably be available before the end of this month, since Windows 8 RTM will become available on TechNet and MSDN tomorrow, according to this blog post: windowsteamblog.com/…/bloggingwindows

    People, please be patient… 🙂

  3. Yannick says:

    @ Eric – I think you get Internet Explorer 10 RTW earlier then you would ever se an IE10RC for Win7…

    @ Geaorge – Let's hope it's before the end of the month! Tomorrow?

  4. Con artist says:

    @George, @Eric, you know that windows 8 RTM is availble on torrent as of now.. with crack! Its desktop environment is much more faster than Windows 7!

  5. update says:

    IE 9.0.9

    (by windows update)

  6. George says:

    @Yannick – Most probably. You know, they have to optimize IE10 for Windows 7, since it doesn’t bear all the improvements made under the hood in Windows 8. Also, IMO they are porting IE10’s engine, Trident 6.0 to the Windows Phone platform (WP 7.8 and WP8).

    @update – because yesterday was Patch Tuesday.

    @Con artist – Yes, I am fully aware of the existence of Windows 8 RTM (build 9200.16384). I am currently using it for testing purposes (drivers, apps, benchmarks, etc.). I totally agree that Windows 8 is fast and fluid. I have installed many programs (Office 2013, Photoshop CS5 and others) and the system is always fast. Boot times have been improved drastically – from POST to the lock screen in 3 seconds. Desktop really loads fast even after cold boot, it’s ready in less than a second. IE10 is blazing fast! Also, the fact that Flash player is incorporated, IMO makes up for less Flash-related crashes (I haven’t experienced any). I have found myself using Modern UI apps more and more, especially Music Maker Jam, Wikipedia, Cocktail Flow, One Note MX and some games as well. Actually, I haven’t run into any problem using Windows 8 – all of my devices were recognized during setup (which in my case, took 25 minutes when keeping old files and 11 minutes when doing a fresh install). The WEI score is the same as in Windows 7, which means that most Desktop apps will work without applying compatibility settings. My graphics card works out of the box with the included drivers, which support DirectX 11.1. Battery life is slightly longer than in Windows 7 (because memory footprint is nearly halved and there is no Aero – meaning less graphics power used and more compatibility with older games, like Age of Empires II.) Basically, the touch experience can be fully achieved using the mouse and the keyboard (Microsoft is also working with Touchpad manufacturers in order to provide new drivers for touchpads, which would enable some of the touch gestures even on a non-touchscreen device). The much-debated Start Screen is not counter-productive. In fact, I’ve arranged the tiles into groups and also named the groups conveniently. If I want to access an item, I either scroll until I find the appropriate group, or, I press the Windows key and start typing its name. It’s really simple. Also, I should mention that I love the built-in Reader app – it’s quite functional, considering it’s not a Desktop app. It showcases how powerful Modern UI apps can be when they are well-coded.

    The Windows Team has done a very good job! Microsoft deserves a big up this time! 🙂

  7. Malcolm says:

    Where is the IE10 beta for Windows 7?!?!

    Where is Microsoft to answer all the questions about the Adobe Flash Proprietary & Closed Censorship List that business web applications are not allowed to apply for?

    When are we going to hear that completely ridiculous whitelist concept has been killed and the program manager responsible for introducing it before publicly vetting the strategy with LOB/Enterprise partners and companies and developers has been fired for trying to force developers to comply with it, not listening to a single F (dash,dash,dash) ing word that developers have been SCREAMING at Microsoft to address and respond to?!?!?!

    Read that last sentence again. Seriously!! What kind of game are you playing Microsoft!?! WE WANT ANSWERS!!!

    The user agent for IE10 in (strike)Metro mode(/strike) is still not usable and doesn't help developers distinguish the default partial browser from the full capability browser.

    Are sessions going to be fixed across Metro/Desktop IE?! Or is that still an epic disaster like in the beta previews we've seen?!?!

    Has anyone addressed the usability issue when switching back to the blank scene in metro?

    Has Microsoft fixed metro mode so that all 2 or 3 of our monitors show content?!?! Or is it still completely wasting valuable desktop real estate?!?!

    Certificates are great (and I'm surprised they havent always been tied to hardware) but you've massively insulted the development community by not answering a single one of our questions for the past 2 months!!!!

    Furiously yours,

    Malcolm

  8. Metro failure from the windows team blog says:

    Heres a review of metro in windows 8 from the windows team blog.  It looks like metro is awesome except for the parts that are completely useless and don't work as advertised – which is pretty much all of them and everything has been mentioned on this blog too.

    It is really sad that Microsoft has ignored the pleas of developers and users alike.  It's sad to hear that Microsoft had tablets first yet lost the entire market to apple, rim, and google but that's no excuse to butcher the desktop experience trying to get your tablet to market.

    Is was a fun ride Microsoft – too bad it's all over now – let the downward spiral begin!

    Heres the quote:

    My personal experience with the Windows 8 Release Preview is:

    1)  I can't get notifications when my contacts signs in Messenger… So I have to use desktop to receive this notifications…

    2) I can't configure POP or IMAP account to use in Mail… So I have to use desktop to use my work account…

    3) I can't see Flash in sites… So I have to use desktop to see these sites…

    4) I can't update my status in Facebook/Twitter with People app…

    5) I can't organize Favorites in folders… So I have to use a browser in desktop to do that…

    6) There is a lot of apps about news, but no one runs like a RSS Reader that allows me to select just the sources I want…

    7) When I use Music site (like Youtube, TunesAccess) to play music in Metro Internet Explorer and changed to another app, the music stop to play and also I can't use Google Street View with IE in Metro… So I have to use a browser in desktop to do that…

    If i just had this features in Metro I definitely would change to Metro… but for me it is a throwback to use Metro…

    I hope that Microsoft does a good job and include at least these functions in the Metro

  9. davis says:

    yay EV code signing certificates – another way for Verisign (now Symantec) and Digicert to gouge customers (in this instance, developers) on the pretence of marginally improved security.

    Can we get "Windows Store Account-verified" code signing certificates that mirror "domain-verified" SSL certificates? That would provide 99.5% of the security to end-users for 5% of the cost to developers.

  10. George says:

    @davis – As stated above, developers don't have to sign their code to build or maintain reputation with SmartScreen.

    @Malcolm – The Flash issue is present even in the current RTM build, but Microsoft is enforcing the whitelist only due to power efficiency. If the Flash object isn't power-efficient, battery life will be significantly shorter. Customers will be unhappy and most will blame the Operating system. That's why Microsoft is distancing Windows 8's Immersive Internet Explorer 10 from web content. Please, be more polite in public blogs.

    @Metro failure from the windows team blog – POP3 and IMAP are fully supported on the Mail app as of Windows 8 RTM. Also, I used to find issue #7 annoying, but then I read a blog post about power efficiency and suspended apps. Apparently, when you switch away from a Modern UI app, Windows will suspend it in order to save power and resources; all multimedia processing is paused immediately, then other power-and-resource-consuming features are suspended gradually. I don't see this as a big problem, because as long as you have a screen resolution of 1360×768 or higher, you can snap the app on the side of the screen. I haven't tested the People app on Windows 8 RTM thoroughly, but definitely there are general improvements in that app as well. You can use free third-party apps if you don't find its functions satisfactory. Fliptoast and Metrotwit are excellent programs IMO.

  11. George says:

    @Victor – If your PC is going to be plugged into a wall 90% of the time and if you’ll be using business applications, then you should consider using the Desktop version of IE10. Immersive IE10 does not offer any advantages over the Desktop version and it’s used by default only by Modern UI apps. But keep in mind that not all people use their devices this way.

    If your website contains crucial content which is provided to users by means of a Flash ActiveX control, you have two options: either apply for Microsoft testing (announced at blogs.msdn.com/…/windows-release-preview-the-sixth-ie10-platform-preview.aspx – for more details, contact Microsoft directly), or take the HTML5 highway (check out blog.reybango.com/…/ios-to-ie10-metro-building-cross-browser-plugin-free-experiences for a few useful tips). If you opt for Microsoft testing, you can be sure that no confidential, sensitive data will be processed (there’s also a privacy policy related to this) – they are only interested in the specific Flash controls which your website uses.

    However, since Windows 8 hits General Availability on October 26th, Microsoft may implement feature changes through Windows Update. If you want your thoughts to be evaluated, you can use the Feedback tools provided in pre-RTM releases of Windows 8, because the Windows Team appreciates any valuable feedback. Please, be more polite and less repetitive when commenting in public blogs. It’s becoming a general annoyance.

  12. Jason says:

    @George – your prose is well written but I think you are mis-understanding the overwhelming frustration developers are feeling about this. I too am one of them and I can tell you it is taking every ounce of my strength to not litter this comment with 4 letter swear words because I am **so enraged** by the lack of communication from Microsoft on this.

    Specifically these are the problems with this current plan.  All of these have been mentioned before (however based on the release to RTM today it is clear that when Microsoft originally posted their news about the Flash Compatibility list it was already too late for them to change it) I seriously hope that Microsoft learns from this mistake and does not leave major details like this from developers until it is too late.

    Ok so here is the problems with the Flash Compatibility Whitelist:

    1.) Technically by the letter of the rules, not a single company can comply with them and request to be added to the list before Windows 8 goes RTM on October 26th.

    2.) Until windows 8 multi-touch hardware is available (and developers waste $1,000-4,000 on hardware to do the testing they can not apply to be on the whitelist

    3.) There is a requirement to disclose the inner workings of the flash content and controls used on a site in order to apply for the whitelist.  As a matter of pure principal I (and most developers I talk to) feel that this is part of our Intellectual Property and/or business secrets and we have no interest in disclosing this information to anyone.  More importantly we fail to see the need or reason to do so.

    4.) Dynamic content.  The Internet changes constantly.  In the time that it has taken me to write this there have been 1,000's if not 100's of 1,000's of changes to what the Internet's "pages" are.  If I run a website like Facebook… there are literally millions of updates a day and that content can/will include flash based videos, flash based games, new Facebook applications that load unknown flash content.  The static compatibility whitelist does not, and will not accommodate this.  We've indicated passionately to Microsoft that a whitelist is the *exact* *opposite* of an intelligent approach to solving this "problem" (and yes, those are air quotes)

    5.) Let me repeat… binding permission to a site (any site) where the content of that site can and will change significantly over time nullifies any attempt to grant it permission based on a historical snapshot of the content.

    6.) Microsoft has not indicated how further review processes will go.  Over the next 6 months sites I work on will have content that changes – I may choose to use a different flash video wrapper, or a different file upload control.

    7.) There are many, many, many uses for flash that *can* *not* be replaced with HTML5.  e.g. I use a multiple file upload control that lets me restrict files to certain types, sizes, etc.  There is no HTML5 capability to meet this.

    8.) Usability and customer relations.  When users first discover that a site will not work in Metro IE they will blame the developer of the site (innocent) not the company that is actually restricting the customer (Microsoft).  Will Microsoft be including any end-user documentation whereby they indicate to the user that the experience downgrade caused by using Metro IE was caused by Microsoft, including a link / comment form where users can tell Microsoft what they think of this.

    9.) Access to private web application content for testing is a requirement of applying to the whitelist.  There is not a single one of my customers that is willing (or interested) in granting access to their private content so that Microsoft can run tests against it.  This is not up for discussion. period.  I will not be granting Microsoft permission to log into any of my web applications (now or ever) and I think Microsoft's request to do so in the first place was both ridiculous and insulting.

    10.) At no time has an email address and or phone number been provided for developers to call in to discuss this plan with Microsoft or attempt to solve the submission issue. This needs to be posted ASAP.

    11.) Microsoft has worked very hard at restricting any attempts to boot directly to the desktop in Windows 8 which forces users to use metro.  If you are going to force users to use Metro you need to step up to the community and start answering some questions.  Sitting silently and not responding is extremely rude and upsetting for us developers that are just trying to handle all the changes that Microsoft is forcing on us.

    I have another 10 or 20 items to add to this list but to be honest I'm tired of this.  I'm not posting any more questions until we start getting **any** answers from Microsoft.

    I don't have one of those fancy MSDN subscription things but man I tell you if I did I too would be canceling like I hear others are.  This situation has gone well beyond acceptable.

  13. Angel fish says:

    @Microsoft

    You've been asked some pretty direct and to the point questions regarding the flash support in Metro That developers need answers to.

    Please take a moment to respond to them or at least acknowledge the fact they've been asked and indicate an ETA for when you'll provide a response.

    Thank you

  14. ieblog says:

    @Angel fish: You may assume that no comment means we have nothing new to add at this time.

  15. George says:

    @Jason – Cnet.com and YouTube.com are valid examples of flash-powered web sites which are fully working in immersive IE10. (YouTube is implementing HTML5 video also – no need for flash when you’re in the HTML5 test.) How do you think they managed to be included in the “Whitelist”? Would either site give Microsoft their private data and their users’ data? No.

    msdn.microsoft.com/…/jj193557(v=vs.85).aspx is a useful resource about this topic. If you are familiar with the guidelines, then I recommend you to pay attention especially to the “Testing your site” and “Submitting your site for consideration” sections. Contact info is also provided there, if you are interested.

    However, if you don't want to go for Microsoft testing, you still can port your website to HTML5, following the same path as if you were creating a mobile site. You know, Flash is not supported by any current mobile platform (even Android dropped support as of Jelly Bean). How would you make your content accessible to mobile users (say, iPad users)? Think of it this way. While it is true that the mobile platform cannot replace the desktop platform anytime soon, the number of people using tablets and cell phones to surf the web and accomplish online tasks is getting higher. Maybe, it is time to invest in creating mobile solutions which will be fully supported at least for the following decade.

    Multi-touch hardware is already available and yet, I haven’t run across any device costing $4000. Most are in the range $400 – $1600. However, the keyboard and the mouse are still entirely supported and interchangeable with the touch interface. More guidelines will be available in the near future.

    I agree that the “Microsoft and Adobe” approach to solving this problem isn’t the best or the most intelligent – restrictive measures never give the best results. Nevertheless, it’s still a solution. Actually, when a site is not in the CV list, instead of the Flash control, there usually is some replacement text about the absence of Flash Player. I don’t see how users would blame the developer immediately. But then, it’s your responsibility to provide the functionality – you either opt for testing or you use HTML5. If your company is concerned about usability and customer relations, then it should consider those solutions.

    Lastly, no user is forced to use the Modern UI past the Start Screen, the Charms bar and the PC Settings menu. If you want to avoid the Start Screen, then there are third-party solutions available (Classic Shell and Start8 are two of them) and built-in alternatives (pinning your most used programs to the taskbar and some others to the desktop). I don’t see the Start Screen as an annoyance to anyone, simply because Desktop is one keystroke or one click away – and that consumes less than a second. Modern UI will likely be continuously improved over time, but if you don’t like it, don’t use it.

  16. David says:

    @ieblog – are you serious?!?! No comments to add at this time? The device community is up in arms about these completely unrealistic constraints you've placed on our development and your response is "no comment"! At a minimum I was expecting a "we are well aware that many developers have expressed issues with our adobe flash policy in Metro IE.  We are reviewing your concerns and will comment when we have finished our analysis".

    @George please tell me how HTML5 in Metro IE provides a solution for multiple file uploads that are currently only available through flash.

    Flash is most certainly supported on many mobile platforms including android devices, the playbook and upcoming blackberry 10 devices. (and if this is resolved likely on windows 8 phones).

    Like all developers and users that have commented thus far on the whitelist I believe 110% that a whitelist is not only the wrong approach but in fact the absolute worst possible option!

    As for the metro vs desktop thing I hope that users can boot directly into the desktop once it goes live as Metro seems to offer advanced users nothing of actual value… Just fluff.

  17. George says:

    @David – You should use Flash Player and opt for testing if you need this functionality. Flash is no longer supported on Android (uk.news.yahoo.com/jelly-bean-not-flash-support-no-more-flash-085000863.html) and it won’t be supported for long on the Blackberry platform (http://www.engadget.com/…/adobe-releases-final-flash-player-version-for-android-blackberr). What’s the hype about the Start Screen anyway? It’s not keeping you from accessing the desktop.

  18. Dale says:

    @George – you are spreading FUD.  Flash is currently supported on BlackBerry PlayBook and will be supported in BB10 the new OS for their phones.  Windows8  (minus this catastrophic disaster called the whitelist) will support flash thus it will still be available on Windows PCs, tablets and phones.

    Now.  Will someone from Microsoft please step up to the mic and tell us when all of these issues are going to be resolved… if you are not going to, then yank Flash support 100% from this as it is going to tick of users and p*ss off developers.

    The IE10 Flash Whitelist is by far (without exceptions) the worst software design decision of the past 15 years!

  19. Will there be a way to disable SmartScreen or restrict it only to IE?

  20. George says:

    @Dale – I never said Windows 8 does not support Flash; please, if you're referencing my words, don't change them. Also, Blackberry 10 _currently_ supports Flash, but it will _not_ get updated to newer versions (say, 11.4 or 12), only security updates – hence, it won't be supported for long. The only ones spreading FUD are the ill-informed people who comment without doing some research first. If you can't cope with the Compatibility View list (I still don't get it why you won't let Microsoft test your site – Cnet.com is fully working meanwhile), then feel free to explore additional options, the most obvious of which is HTML5.

    @Master Programmer – Yes, you can manage SmartScreen settings by going to the Action Center in Control Panel. Expand the Security section and you'll find the entry dedicated to Windows SmartScreen management. IMO, you shouldn't turn it off, but still, it's up to you.

  21. CoDEmanX says:

    SmartScreen is total BS if you do a lot of beta testing :/