to increase downloads, instill trust first wp
TRANSCRIPT
white paper
To Increase Downloads, Instill Trust First Code signing from VeriSign certifies the publisher and integrity of the code
white paper
+ Building trust: The first step to distributing software 3
+ Code signing delivers confidence 3
+ How code signing benefits a software publisher 5
+ What kinds of applications can I sign? 5
+ VeriSign’s code signing solution 6
+ Best practices for code signing 7
+ Conclusion 8
+ About VeriSign 9
Contents
white paper
3
To Increase Downloads, Instill Trust First Code signing from VeriSign certifies the publisher and integrity of the code
+ Building trust: the first step to distributing software Distributing your software through online and wireless channels brings substantial benefits: You can save money, get your code out faster, and bypass the inventory and fulfillment constraints of shipping out discs and getting space on retailers’ shelves. But how can you make best use of those digital channels to circulate your code as widely as possible?
Start by looking at the process of downloading software from your prospective customer’s or user’s point of view. They see potential risk in installing code. No matter how exciting your new functionality and the promise of your latest application, individuals and companies are concerned that they may be putting viruses or malware on their machines. Those viruses and malware can wreak havoc: Stealing personal and financial data, damaging files and systems, and compromising company-confidential information.
The potential impact of malware is even more serious in the mobile environment, where malicious code can spread through the network to everyone who subscribes to the provider’s wireless services. Fixing the damage can cost mobile network providers huge amounts of time and money. Even worse, some damage can’t be easily fixed. When companies lose the trust of their customers, they usually lose the customers, too.
So before potential customers or users can feel comfortable downloading your code, and before most platform and network providers will run it, they need to know two things: First, who you are, and second, that the code hasn’t been changed since you published it.
+ Code signing delivers confidence Code signing provides customers and users a verified, third-party answer to these two questions, removing the biggest hurdles to widespread acceptance and distribution of your code. Customers feel confident buying software in the retail environment because shrink-wrapped packaging and mainstream distribution provide implicit third-party verification of the publisher and assurance that the code hasn’t been tampered with. Now they can feel the same confidence buying code online because code signing provides explicit third-party confirmation of the source of the code and its integrity. This increases prospective users’ trust in your business and ultimately boosts your sales and downloads.
VeriSign Code Signing helps build user trust because users see it in action: When they attempt to download a signed application, a pop-up dialogue box informs them of the true identity of the publisher and asks whether they wish to continue or cancel downloading. Users can see if code is signed with a trusted Certificate Authority (CA), self-signed, or unsigned. When used externally, a self-signed certificate is about as convincing as a homemade photo ID, and platforms do not recognize its root. Unsigned or self-signed code triggers an alert that the software publisher is unknown and could be detrimental to the system. Users are unlikely to download any application that is not signed by a trusted CA.
white paper
4
Users know when code comes from a recognized software publisher because they see a dialogue box, similar to this one, that tells them the publisher’s identity.
But when code is unsigned, self-signed, or signed by an obscure CA, the system does not recognize the root and displays this warning, which makes it unlikely that users will proceed with downloading and running the application.
white paper
5
+ How code signing benefits a software publisher As a software publisher, the biggest benefit you’ll get from code signing is help in establishing user trust in your online applications. Trust stimulates user adoption of digitally shrink-wrapped, code-signed downloadable applications and helps you sell more software online. Also, code signing enables you to respond more rapidly to changes and opportunities in the market because it frees you from reliance on slow and costly traditional distribution channels so you can reach a worldwide market in near-real time.
Code signing also helps protect your intellectual property, making it much harder for criminals to use your company name to distribute bogus software or to tamper with your code. If they do change your code, the code signing certificate will be revoked, which warns the end user that the software is no longer verifiable. This may also free your business of legal responsibility for any damages caused by altered code.
With the reassurance of code signing, platform providers, network providers, and device manufacturers are more likely to accept your applications in their environments, giving you faster, easier access to more channels and more users. Code signing also makes it possible for you to enter partnerships or sales contracts with major companies, increasing your potential market size.
Last but not least, users are learning to avoid any applications that are not code-signed. Soon code signing won’t be optional but an essential prerequisite for any company that wants to distribute software online.
+ What kinds of applications can I sign?You can sign any type of software as long as it requires installation by the user. The software can be for internal or external use. Types of code that you can sign include:1
•Packaged software •Web applications •Freeware •Shareware •Enterprise applications •OEM software •Operating systems •Utility software •Device drivers •Middleware for software integration.
Code signing supports your commercial sales and external distribution efforts by reassuring would-be users and buyers with the digital equivalent of shrink-wrap. It also satisfies the requirements of most platforms, networks, business customers, and partners, all of which are increasingly demanding code signing before entering into an agreement.
Even if you’re focused only on internal distribution of code to users within your company, code signing is still important. Potential users will already know who you are but might not be able to run your code if your IT department requires all code to be signed. Many IT organizations now prevent anyone from running unsigned applications, and won’t run applications unless they know which individuals are responsible for it.
1 Online interactive survey of software developers and decision makers, conducted by VeriSign, 7/2008 and Code Signing users interview, conducted by VeriSign, 12/2008
Code sIgnIng Is essentIal to your BusIness, for several reasons:
+ Protects your intellectual property and business reputation
+ Meets the requirements of platforms and network providers as well as business customers
+ Builds customer confidence and trust
+ Eliminates disruptive security alerts that might turn away customers or increase support inquiries
+ Helps increase market reach and adoption of downloadable software
white paper
6
+ verisign’s code signing solutionVeriSign® Code Signing Certificates and Signing Accounts allow you to “shrink-wrap” online software with a digital signature that verifies the authenticity of you as a publisher and the integrity of the application.
Whether you use a code signing certificate or a code signing account, it will only be effective in inspiring user confidence if the users trust the CA. A certificate from a CA users have never heard of may generate security warnings and make them suspicious, leading them to check further before they proceed.
Choosing VeriSign as your CA increases the odds that users will download your software, because it’s the world’s most trusted and widely recognized Internet security brand.2 As the leading CA, VeriSign supports more desktop and wireless platforms than any other code signing provider. VeriSign roots come pre-installed on most platforms and devices, so your VeriSign code-signed software will almost certainly install smoothly, without triggering the security warnings and error messages that make potential users anxious.
Annual audits by KPMG confirm the thoroughness of VeriSign’s approach to identity assurance. Before VeriSign issues you a certificate, VeriSign authenticates that you are part of a legally registered organization. In addition, VeriSign contacts each signing entity using independently verified contact information to ensure that the registered organization has indeed requested the certificate.
Code Signing Certificates VeriSign® Code Signing Certificates support Microsoft Authenticode®, Microsoft Office and VBA, Sun Java™, Adobe® AIR™, and Macromedia Shockwave. Once you obtain your certificate, you can sign your files using a signing utility specific to the platform.
With a Code Signing Certificate, you can sign multiple applications as long as your certificate is active. Each time you sign code, the certificate generates a digital signature using a unique private key that authenticates the code source and code integrity. You sign all code with the same digital signature using public key cryptography.
When a user’s system software or application encounters your signed code, it uses a public key to decrypt the signature. By comparing the hash used to sign the application against the hash on the downloaded application, the system determines whether the code is properly signed. If your code passes this test, most systems will install it without further prompts. If your code fails this test, the system will do one of several things depending on the platform, application, and client security settings: It can warn the end user, not allow the download, or allow the download without interruption.
Typically, a code signing certificate is valid for one to three years. However, you can save on the cost of maintaining your code by using VeriSign’s free time stamping service, which allows customers to verify that the code signing certificate was valid at the time of the digital signature, and that the code has not been changed since.
Signing Account VeriSign Signing Account currently supports Microsoft Mobile2Market. A VeriSign Signing Account uses the same combination of public and private keys as a Code Signing Certificate, but instead of a certificate that allows you to sign multiple applications with the same signature, the Signing Account lets you create a unique digital signature for each iteration of the code. This makes it easier to track and manage the development process and released versions of code. So, if an application is distributed wirelessly, and a problem occurs with a new version or upgrade, you can recall just the faulty code, without impacting the rest of your published applications.
WHo requIres Code sIgnIng—and WHy
Platform providersCode signing is already a requirement for any program written for the .NET environment, kernel mode, Adobe AIR, and some mobile platform certifications such as Microsoft Mobile2Market and Symbian Signed.® These platforms will generate warning messages or refuse to install an application unless it’s code signed by a recognized Certificate Authority (CA). Windows platforms such as Vista and Server 2008 also require code signing for the Windows Logo program certification. Trends in the industry indicate that soon all operating systems, application development platforms, and mobile devices will only install signed code.
Network providersNetwork providers are especially wary of buggy or malicious applications and many of them will not run unsigned code. In a network environment, the potential consequences of downloading malicious code include destruction of the mobile device, service interruption, spread of the malicious application, identity theft, and financial damage. The cost of this damage could run into the billions of dollars within minutes. Not only do network providers fear disruption to service, they also fear any kind of negative experience that might drive away customers. Retaining customers is essential to network providers’ business models for sustaining and increasing profitability.
2 Extended Validation and VeriSign Brand, Conducted by TecEd, 10/2007
white paper
7
When you enroll for a Signing Account, you purchase a Publisher ID and a bundle of Content IDs. The Publisher ID is a digital certificate that contains your organizational information. To sign code, you log into the Signing Account portal using the Publisher ID for authentication, upload your code, and sign your content. If you are eligible to use Windows Privileged Access, you then take the extra step of sending the code to a third-party testing house for an enhanced security check. VeriSign then creates a unique code signing certificate, the Content ID, and attaches it to your code. When users click to download the code, the Content ID provides their devices a signature that the devices check against the VeriSign public key. If the signature and key match, those devices will download and execute the code.
If you’re a publisher handling a large number of applications and frequent builds, VeriSign provides a SOAP-based Publisher API in addition to the normal browser-based interface for signing code. You can use the API to script your signing activities and integrate them into the overall application development process.
For more information about VeriSign Code and Content Signing Products, please download “Securing Code Transfer with Signing: A Technical Overview” or go to www.verisign.com/code-signing
+ Best practices for code signing In conversations with software developers and publishers as well as users, VeriSign has heard of a variety of code signing practices. Some of these approaches work better than others. Based on this input, we offer the following best practices that can enhance the value of code signing.
Give each developer his or her own certificate. Companies often share a certificate among all developers working on the same program, but for security reasons it’s good to be able to track the changes made by individual developers.
Sign frequently. Some companies sign code several times a day. That may or may not be necessary, depending on your development procedure, but the majority of companies see value in signing applications at every build.
Make sure your certificates offer time stamping. Time stamping allows users to verify that the code signing certificate was valid when the software was signed, even if the certificate has since lapsed. With time stamping, you won’t have to keep renewing certificates on software you’re no longer modifying, saving you time and effort and reducing a certificate’s total cost of ownership.
Automate the process with Publisher API. If your development process employs continuous build, use the same certificate throughout so that you can keep everything in testing identical to the client experience. Consider Publisher API for daily build or a frequent build cycle.
Use certificates for change control and quality assurance. If you don’t use continuous build, designate a production certificate. You can issue individual developers self-signed certificates that are trusted only on their development computers. When code is ready for production, a manager can sign it with a code-signing certificate that is trusted by the production environment. This way, you can prevent untested code from being installed on your production environment.
WHo requIres Code sIgnIng—and WHy
ConsumersConsumers are less wary than network providers, but they are increasingly cautious about what they install on their machines. When they see pop-ups that warn them about possible Trojan or ActiveX problems, they’ll either back out of installing the software or they’ll call for support. Consumers feel most comfortable buying software in a shrink-wrapped package from a major chain store, but today, just 34.6% of developers distribute their software through traditional channels, while 43.8% distribute software online and 34.6% through wireless services.3 Code signing is the new shrink wrap: a way for consumers to benefit from the wider range of choice available through online distribution while getting the same assurance of provenance and code integrity that they used to get only from physical packages.
Business-to-business customersIf you’re considering entering into a partnership or sales contract, code signing may be a necessary precondition. Code signing helps all parties to an agreement verify that developers have followed the guidelines for controlling applications. This builds partners’ trust in the integrity of your code, so they’re likely to deploy those applications more widely, and adopt upgrades and new functionality more readily. Ultimately, this could increase both your sales and share of customer.
3 Online interactive survey of software developers and decision makers, conducted by VeriSign Internal Research on Software Developers, 7/2008
white paper
8
Sign all applications for wireless platforms, .NET environments, and kernel mode. Otherwise, it’s virtually impossible to distribute them.
Choose a certificate from a leading CA. Eight out of ten software publishers choose VeriSign4 because it is the market-leading CA, with its root certificates preinstalled on most devices and embedded in most applications. Publishers recommend choosing a strong CA brand, one that helps build customer recognition, support, and a good reputation5. If your application is code-signed with a VeriSign certificate, almost all platforms will trust it and install it without error messages. Root certificates from smaller CAs are not as likely to be included in the platform, and users may get warning messages.
Don’t put off code signing for any reason. In a recent VeriSign® customer survey, customers said that the cost of the code-signing solution was minimal compared to the product cost and potential loss of customers that would result from not using code signing products 6. Stay current with the industry best practice!
+ ConclusionCode signing is becoming mandatory for software publishers Code signing is the best way to meet the requirements of today’s code transfer environment, which demands publisher verification and proof of code integrity. By certifying origin of the code and guarding against unauthorized code changes, code signing creates a digital “shrink-wrap” for code that builds the confidence of users, platform providers, network providers, and device manufacturers. Code signing is a win/win—by protecting your own reputation and that of your business, you also protect your buyers and users, which in turn increases their adoption of your downloadable software.
In a Code Signing users interview conducted by VeriSign in December 2008, software publishers and developers commented that customers increasingly say they won’t purchase unsigned products. Publishers observed that code signing makes it easier for them to distribute software over the Internet and increases customers’ willingness to download code. Several commented that as soon as a certificate expires, users start calling the software publisher, and the publisher starts calling VeriSign to renew. They can’t let the reassurance of code signing lapse.
VeriSign is the best choice for code signing solutions because it supports more development platforms than any other CA. Its certificate roots are most ubiquitous and are backed by the most trusted and most widely recognized security brand on the Internet7. With a VeriSign certificate authenticating your code, users are more likely to download it and their systems are likely to install it without question. And once VeriSign has helped you establish user trust, you have the chance you’ve been looking for: To impress customers and users with the innovation and functionality of your software, increase sales and distribution, and grow your business.
4 Online interactive survey of software developers and decision makers, conducted by VeriSign, 7/2008 5 Code Signing users interview, conducted by VeriSign, 12/20086 Code Signing users interview, conducted by VeriSign, 12/20087 Extended Validation and VeriSign Brand conducted by TecEd, 10/2007
white paper
9
+ about verisign VeriSign is the trusted provider of Internet infrastructure services for the digital world. Billions of times each day, companies and consumers rely on our Internet infrastructure to communicate and conduct commerce with confidence.
+ for More InformationFor more information about VeriSign® Code and Content Signing, please call 866-893-6565 or 650-426-5112, send an email to [email protected], or visit www.verisign.com/code-signing today.
visit us at www.veris ign.com for more information.
©2009 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo, the Checkmark Circle, VeriSign Secured, and other trademarks, service marks and designs are registered or unregistered trademarks of VeriSign, Inc., and its subsidiaries in the United States and foreign countries. All other trademarks are property of their respective owners.
00026963 02-23-09