Microsoft SmartScreen & Extended Validation (EV) Code Signing Certificates

Today two Certificate Authorities (CAs),
Symantec and
DigiCert, announced the introduction of EV code signing certificates.
Their announcement is a positive development for users and businesses because it
helps both sides reduce fraud and increase trust. We want to provide some more details
about what this means for Microsoft’s SmartScreen and the Windows 8 application
ecosystem in general.


Windows Store & Windows 8 Apps

The introduction of the
Windows Store and
Windows 8 Applications will be a significant opportunity for developers
to distribute and monetize their applications. Windows 8 Applications are required
to pass the Windows Store developer onboarding and application review process. This
process is designed to give users confidence in the safety of their purchase while
also making the install process as frictionless as possible. Windows 8 applications
are not in scope for SmartScreen Application Reputation checks or warnings – these
apps are reviewed, code signed, licensed & distributed by the Windows store
directly.


Desktop Apps

Desktop applications remain an important part of the Windows experience and Microsoft
remains committed to the safety of the desktop experience and our users. We recognize
that Internet Explorer (IE) isn’t the only way users download applications from
the Internet, so Windows 8 now uses SmartScreen to perform an application reputation
check the first time users launch applications that were downloaded from the Internet.

This evolution of SmartScreen from IE-only to system wide is a significant improvement
for Windows users. We have seen incredible results with this feature in IE9 (more

here &
here). Hundreds of millions of users have avoided malware infections
due to these new experiences and we’re happy to bring this protection to Windows
users, regardless of browser choice. For more details on the IE9 application reputation
feature and the data models read this
post. For more information on security & safety features in Windows
8 (including Windows SmartScreen) read this
post.

The deeper integration of SmartScreen Application Reputation also means that desktop
app developers have an additional motivation to sign their code and establish reputation.
We’ve talked in the past about the importance of digitally signing code for both
establishing reputation and proving the authenticity of programs. I’m happy to say
the development community has responded to this call to action. Since the release
of SmartScreen Application Reputation in IE9 we’ve seen a 10% global increase in
signed downloads, from 73% at IE9 RTM to >83% today.

As we’ve discussed in the past, SmartScreen builds reputation for both individual
programs and for the certificate used to sign that code. Code signing is important
to our reputation intelligence because this higher level identity allows us to build
reputation across multiple programs signed by a publisher. It is also important
for publishers because signed programs inherit the reputation of the certificate
with which they are signed; this means every program a publisher distributes doesn’t
need to build reputation individually.


EV Code Signing

Today we are announcing our support for an important advance in code signing - the
availability of EV code signing Certificates. We’re also announcing that EV code
signing certificates will integrate with the SmartScreen Application Reputation
technology in Internet Explorer 9, Internet Explorer 10 and in Windows 8.

Microsoft has been working with the CA industry over the past year to help make
EV code signing certificates available. This code signing standard has a couple
of key advancements from a safety and identity perspective. First, they require
a more rigorous vetting and authentication process similar to that of EV SSL certificates
that are in use today. This process requires a comprehensive identity verification
and authentication process for each developer. Secondly, the EV code signing certificates
require the use of hardware to sign applications. This hardware requirement is an
additional protection against theft or unintended use of a code signing certificate.

Programs signed by an EV code signing certificate can immediately establish reputation
with SmartScreen reputation services even if no prior reputation exists for that
file or publisher. Other factors are considered when generating reputation and determining
product experiences and EV-signed programs will be closely monitored over time.
We think the improvements in the vetting and security of these certificates are
a great development for both users and developers.

Starting today, EV code signing certificates are now being issued by
Symantec and
DigiCert, and the integration with SmartScreen is already live (IE9,
IE10 & Win8).

Detractors may claim that SmartScreen is “forcing” developers to spend money on
certificates. It should be stressed that EV code signing certificates are not required
to build or maintain reputation with SmartScreen. Files signed with standard code
signing certificates and even unsigned files continue to build reputation as they
have since Application Reputation was introduced in IE9 last year. However, the
presence of an EV code signing certificate is a strong indicator that the file was
signed by an entity that has passed a rigorous validation process and was signed
with hardware which allows our systems to establish reputation for that entity more
quickly than unsigned or non-EV code signed programs.


Best Practices

Developers should still follow the best practices we’ve suggested in past blog posts.
We have added to that guidance the additional options of distributing apps thru
the Windows Store and the option of EV code signing:

  • Distribute your apps through the Windows Store

    Windows 8 Applications are required to pass the Windows Store developer onboarding
    and application review process. Windows 8 applications are not in scope for SmartScreen
    application reputation checks or warnings in Windows 8.

  • Digitally sign your programs (Standard or EV code signing)

    Reputation is generated and assigned to digital certificates as well as specific
    files. Digital certificates allow data to be aggregated and assigned to a single
    certificate rather than many individual programs. Although not required, programs
    signed by an EV code signing certificate can immediately establish reputation with
    SmartScreen reputation services even if no prior reputation exists for that file
    or publisher. EV code signing certificates also have a unique identifier which makes
    it easier to maintain reputation across certificate renewals. Only Authenticode
    Certificates issued by a CA that is a member of the Windows Root Certificate Program
    can establish reputation.

    At this time,
    Symantec and
    DigiCert are offering EV code signing certificates.

  • Don’t sign or distribute malicious code

    Distributing code detected as malicious will remove the reputation from a file and
    also any reputation from the associated digital certificate – even if signed with
    an EV code signing certificate.

  • Apply for a Windows Logo or Windows 8 Desktop App Certification

    Learn more about these programs here:

We’re pleased with the announcement today of the availability of EV code signing
certificates and we’re also happy to be able to bring SmartScreen Application Reputation
to a new set of Windows users soon with Windows 8.

—Jeb Haber, Lead Program Manager, SmartScreen