18 comments

[ 3.5 ms ] story [ 64.9 ms ] thread
Just had another potential user that wanted to try my software get this rather silly Smartscreen error.

As a user you have to click several screens away in order to install my software. Software which is properly signed with a certificate, but well it isn't popular enough according to Microsoft to be trusted.

Not sure since when "popular" equated to "trusted".

You can click on some links to report this to Microsoft and they promise to look into it according to their automated report.

Of course.. now several months later nothing has changed.

Even if they would whitelist a single download... the next update would have the same problem again.

It is easier to release the macOS version nowadays then the Windows version and that's not really an accomplishment.

That is garbage. Bet something as stupid as pushing out your exe across a few ad networks would solve the problem. Which would highlight how dumb popular == trusted is.

Also I can see how this is why some companies put out a binary that just downloads everything it needs for an up to date install, like chrome. Avoid the problem entirely after it gets whitelisted once.

Just start shipping floppy disks again.
This wouldn't change the situation. What you ship would not meet the criteria either.
I've seen someone (either here or Reddit, forgot which) have their build script spin up a bunch of Windows VMs in a bunch of regions and cloud providers, just to open their app and say "yes" to SmartScreen so that their binaries are trusted when they ship
Lmao, thats a pretty good idea. Also at the same time shows how useless this popularity metric is.
I have more than a few downloads and installs every month.

Otherwise people would buy without installing... or never upgrade to the latest version (I try to release regularly) and the "not commonly downloaded" error is still there.

It would probably be cheaper to try and get an EV code signing certificate (if I can even get one as an indie dev)

Wow. If malicious code can be signed in the first place then that's where your problem lies, not from how many download it.

Now we'll have to deal with every game release giving big instructions on how to circumvent this message. Great.

It sadly is a bit of a click fest to get the download installed.

First it warns you to not save the download.

Next up you get the warning from the screenshot

Then you get the normal UAC prompt that shows your company details.

After that the installer itself comes up.

I think I even am forgetting a click.

It is a pretty unpleasant install experience. Another developer told me that you might be able to cure this by buying an EV certificate instead.

Yet another one said that the company he works for (pretty well known) has the same issue.

Of course I already bought a normal multi-year certificate which wasn't cheap. So now I would have to throw that away and buy an EV certificate? Which are even more expensive and don't really offer more security beyond the "it's more expensive" limit.

Oh perfect; higher barriers of entry and further entrench existing monopolies!
This metric for judging if software is trusted or not seems backwards. Solarwinds was (probably still is) quite popular for instance.
Solarwinds was quite trusted, and for good reasons if I may add.
Recent news shows that Solarwinds might have directly employed potential hackers and most companies weren't aware of them nor that their software is partially developed in Eastern Europe, not the US.
The bigger problem seems to do with updates.

Frequently updated software, while being more secure, will be more affected by this issue.

Therefore, this approach by Microsoft is making everyone using popular but often updated software, less safe by design.

Yes, I prefer to release regular updates and this isn't helping.
Most malware is likely more popular than the majority of apps this affects.

- Malware can be signed - Popularity != trustworthiness - Software "trustworthiness" shouldn't be depended on. Strong sandboxing avoids malware

Congratulations MS on undermining security even further by desensitizing users even more.

But not like it matters; you already have to randomly enter your password in random prompts that look like phishing attempts and blindly accept security warnings to do the most normal of things.