* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

This file is not commonly downloaded

There has been a couple of post recently about this warning which reminded me about some tests I run last year to try and find out what causes this trigger.

I tested 3 browsers (Chrome, Firefox and Internet Explorer) on Windows 7 and also Windows 8.1
WIn 8 has built in protection called Smartscreen for detecting not commonly downloaded exe’s so it didn't matter what browser was used which is why I added it to the results table.

I tested 4 new installers created with Inno setup which contained a “hello World” exe created with Delphi

1 plain exe, 1 zipped, 1 code signed with a cert I have had for 18 months and 1 code signed with a brand new code cert.

I ran these tests twice, first time on a new website setup with a domain name I've had for a while but never used and second time on my existing website which has been selling software for nearly 8 years.

Please see this image for results:
http://focr.s3.amazonaws.com/download/commonlydownloaded.JPG

Some interesting results:
Firefox lets anything through.
IE is happy with a zipped installer but blocks a new code cert!
Chrome looks at the domain name which is hosting the installer and lets anything run from an established domain.
You NEED a code signing cert for Windows 8
Ralph R Send private email
Sunday, February 01, 2015
 
 
Thank you *very* much for posting this. I guess Google treats a switch to HTTPS as an entirely new domain?
Andrew Gibson Send private email
Sunday, February 01, 2015
 
 
> You NEED a code signing cert for Windows 8

But... your own graph proves otherwise!  A new website with a new cert (my situation) means that IE and Win 8 would NOT let my apps run anyway.  So, what's the point of me buying a cert?

As for the certs themselves, they can be hack so easily, so their integrity is basically a moot point anyway.  Check it out:

http://www.pcmag.com/article2/0,2817,2421085,00.asp

http://www.itpro.co.uk/638701/who-to-trust-after-the-verisign-hack

http://www.darkreading.com/attacks-breaches/digital-certificate-authority-hacked-doz/231600498

http://www.computerworld.com/s/article/9219758/After_hacking_claims_second_firm_pulls_digital_certificates

http://www.eweek.com/security/bit9-hacked-stolen-digital-keys-used-to-sign-malware/

I personally think certs are just a touchy-feely do-gooder thing that act as placebos, while making the signing companies rich.  Maybe one day my view will change, but not yet.
PSB136 Send private email
Sunday, February 01, 2015
 
 
I think certs are an important signal. You should sign your work.

Something I think that helps is to scan your upload at virustotal.com
Other AV software, and think Google and Bing also draw data from this well.

I am watching this thread to see if anyone has a fool proof way to solve your problem.  My guess is that nobody will.
Darren Send private email
Monday, February 02, 2015
 
 
Oh, and yes...  Google does treat https as an entirely different domain. I don't believe in having both http and https. what's the point of that. If you're going to have https, go all in.  Do permanent redirects from your http site to your https site. Google will follow along after a week or so and shift everything over. I
Darren Send private email
Monday, February 02, 2015
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz