This report was written in spring 2006 for a post-graduate information assurance class with the Graduate School of Management at the University of Dallas. This report analyses Microsoft's Authenticode from the point of view of the micro-ISV (independent software vendor), paying particular attention to possible reasons for its mixed acceptance. The report includes the results of an online questionnaire (using WISCO Survey Power) sampling micro-ISV viewpoints.
As well as the abstract and conclusions (reproduced below), the full report and presentation are available as downloads. Both the report and presentation are PDF documents, and remain the (C) Copyright of Richard Marsden.
Microsoft introduced their Authenticode code signing mechanism in 1996, in answer to an increasing number of malicious web (ActiveX) controls and executable programs on the Internet. Code signing attempts to authenticate authorship by applying a digital certificate to the control or program.
Internet downloads have become the preferred delivery mechanism for small Independent Software Vendors (Micro-ISVs). Authenticode should help to verify that these products are genuine and have not been tampered with, but some Micro-ISVs are reluctant to purchase or use Authenticode certificates.
This paper analyzes Authenticode from the point of view of the Micro-ISV, including both the positive aspects and the perceived flaws. Micro-ISV attitudes and experiences with Authenticode are surveyed.
In order to generate downloads and purchases, Micro-ISVs must demonstrate the bona fide nature of their software. Microsoft Authenticode currently provides the best way of demonstrating authenticity, but it has seen limited acceptance amongst Micro-ISVs. A survey was conducted to determine Micro-ISV knowledge of Authenticode, and reasons for the low acceptance. The survey results confirmed Authenticode's relatively low acceptance by the Micro-ISV community, despite a good awareness of its theoretical strengths and weaknesses.
A significant problem that has been identified is that of communication by both Microsoft and the CAs. Many Micro-ISVs have problems finding information about using Authenticode, and there is a general feeling that the general public is poorly educated about the certificates and related warning dialog boxes.
There was a mixture of opinion concerning the ease of obtaining a certificate. Some found it too difficult or too expensive, whilst others found it too easy. Two examples of fraudulent certificates were identified. This is potentially a very serious problem. Fraud will happen, but Microsoft and the CAs must be very active in identifying fraud cases, revoking fraudulent certificates, and pushing for arrests. For Authenticode to be seen to work, this must be seen to happen. Microsoft and the CAs must be more active in following up reports of fraud and publicizing their activities in this area.
The remaining major problem is that of Microsoft's public image. Although Microsoft's intentions appear to be positive, many people view Authenticode as being a protection racket. These people are particularly vocal in their opinion. It is difficult to counteract this with good public relations, but it could be helped by a high publicity and pro-active approach to verifying CAs, revoking certificates, and even arrests. This would demonstrate that Authenticode works.