A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.
We're closed, folks!
Doug Nebeker ("Doug")
There has been a couple of post recently about this warning which reminded me about some tests I run last year to try and find out what causes this trigger.
I tested 3 browsers (Chrome, Firefox and Internet Explorer) on Windows 7 and also Windows 8.1
WIn 8 has built in protection called Smartscreen for detecting not commonly downloaded exe’s so it didn't matter what browser was used which is why I added it to the results table.
I tested 4 new installers created with Inno setup which contained a “hello World” exe created with Delphi
1 plain exe, 1 zipped, 1 code signed with a cert I have had for 18 months and 1 code signed with a brand new code cert.
I ran these tests twice, first time on a new website setup with a domain name I've had for a while but never used and second time on my existing website which has been selling software for nearly 8 years.
Please see this image for results:
Some interesting results:
Firefox lets anything through.
IE is happy with a zipped installer but blocks a new code cert!
Chrome looks at the domain name which is hosting the installer and lets anything run from an established domain.
You NEED a code signing cert for Windows 8
Thank you *very* much for posting this. I guess Google treats a switch to HTTPS as an entirely new domain?
Sunday, February 01, 2015
> You NEED a code signing cert for Windows 8
But... your own graph proves otherwise! A new website with a new cert (my situation) means that IE and Win 8 would NOT let my apps run anyway. So, what's the point of me buying a cert?
As for the certs themselves, they can be hack so easily, so their integrity is basically a moot point anyway. Check it out:
I personally think certs are just a touchy-feely do-gooder thing that act as placebos, while making the signing companies rich. Maybe one day my view will change, but not yet.
I think certs are an important signal. You should sign your work.
Something I think that helps is to scan your upload at virustotal.com
Other AV software, and think Google and Bing also draw data from this well.
I am watching this thread to see if anyone has a fool proof way to solve your problem. My guess is that nobody will.
Monday, February 02, 2015
Oh, and yes... Google does treat https as an entirely different domain. I don't believe in having both http and https. what's the point of that. If you're going to have https, go all in. Do permanent redirects from your http site to your https site. Google will follow along after a week or so and shift everything over. I
Monday, February 02, 2015
This topic is archived. No further replies will be accepted.Other recent topics
Powered by FogBugz