I need a cheap certificate to sign my application so I can get rid of SmartScreen warning : https://playgunscape.com/downloadgunscape/Windows8_SS_1.png .
Also I'm having problem with false positive from various antivirus programs each time I release an update. As far as I've heard, signing the exe might fix this problem too .
I found an offer from comodo, 2 years for 150 $ . But it's still a lot of money .
https://cheapsslsecurity.com/sslproducts/codesigningcertificate.html
Does anyone know a better offer ?
Unfortunately "Cheap" is relative to results. The amount of time it is probably taking you and frustration is probably worth paying for and "EV" Class 3 certificate (Extended valuation)
Class 3 certificates are a step above the Class 2. Class 2 does not require “Extended Validation”. However the “EV” code signing certificates combine all of the regular benefits of digitally-signed code with a rigorous extended validation process. They represent the gold standard for authentication and security in code signing certificates. EV code signing certificates adhere to strict validation standards from the CA/Browser Forum and to Microsoft specifications. Enhanced authentication is provided via an encrypted token containing the private key. But the down side is they cost about $350 per year... Good news... It will fix the problem.
Related
We recently had a penetration test performed on our site and one of the recommendations was to implement the Expect-CT HTTP response header:
It is recommended to implement the Expect-CT header. A sensible setting for
testing would be the following, however the max-age should
be increased from 30 seconds to in the range of months once this has been
tested and signed-off for permanent deployment.
Example: Expect-CT: enforce,max-age=30
Severity: Low
However, the MDN article for this setting says:
The Expect-CT will likely become obsolete in June 2021. Since May
2018 new certificates are expected to support SCTs by default.
Certificates before March 2018 were allowed to have a lifetime of
39 months, those will all be expired in June 2021.
Given that we are now in June 2021, is there any reason why I shouldn't just ignore this recommendation from the penetration testing report?
I was wondering the same thing. I think you need to ask yourself how to update are the browsers of your users.
As stated bellow it looks to me Firefox, Chrome and Safari enforce it. But if you have a lot of users on older browsers then it still might be useful setting the header because it is widely supported.
From https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/docs/certificate-transparency.md:
Since 1 January 2015, Chrome has required that all Extended Validation
certificates be disclosed via Certificate Transparency. Certificates
that were not properly disclosed would be stripped of their EV status,
but no warnings would be shown to visitors to sites that did not
comply.
Since 1 June 2016, Chrome has required that all new certificates
issued by the set of root certificates owned by Symantec Corporation
are disclosed via Certificate Transparency. Certificates that were not
disclosed, or which were not disclosed in a way consistent with RFC
6962, would be rejected as untrusted.
For all new certificates issued after 30 April 2018, Chrome will
require that the certificate be disclosed via Certificate
Transparency. If a certificate is issued after this date and neither
the certificate nor the site supports CT, then these certificates will
be rejected as untrusted, and the connection will be blocked. In the
case of a main page load, the user will see a full page certificate
warning page, with the error code
net::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED. If you receive this error,
this indicates that your CA has not taken steps to make sure your
certificate supports CT, and you should contact your CA's sales or
support team to ensure you can get a replacement certificate that
works.
Here is another article https://www.thesslstore.com/blog/apple-certificate-transparency-october-15/ where Firefox and Safari also enforce it by now.
Here is Apple’s new Certificate Transparency policy Our policy
requires at least two Signed Certificate Timestamps (SCT) issued from
a CT log—once approved* or currently approved at the time of check—and
either:
At least two SCTs from currently-approved CT logs with one SCT
presented via TLS extension or OCSP Stapling; or At least one embedded
SCT from a currently-approved log and at least the number of SCTs from
once or currently approved logs, based on validity period as detailed
in the table below.
I look for a 100% Linux solution to use Sweden's BankId.
There is information online:
https://github.com/virtualforce/bankid-authentication/
http://www.herlitz.nu/2017/09/13/integrating-with-swedish-bankid-and-.net/
Now I need to download my client certificate from the bank seb.se
How to download one's client certificate at SEB?
It's not really clear what you want.
Do you want a Linux BankID client? That's not supported by BankID. You can find out their client requirements here:
https://support.bankid.com/sv/felavhjalpning/systemkrav
Do you want a server solution for using BankID RP interface? Go ahead, the SOAP interface is well documented here:
https://www.bankid.com/rp/info
As for downloading the certificate from SEB, you need to be a bank customer with a Swedish personal number. I'm not a customer, but judging from their website, it seems they only issue BankID on card and Mobile BankID. Once you're logged into the Internet bank with your Digipass you should have no problem to find out how to issue a mobile BankID.
BankID on card might take some more effort though.
BankID does have a demo system for development purposes. There you can issue a fake BankID to use in the development mode, "test".
For convenience while playing with the sample apps, I am hosting the html and css pages for my receiver on google drive.
But I'm seeing problems fetching them due to https and certificates.
This is what "wget" says when I try to fetch from the hosting URL:
ERROR: The certificate of ‘googledrive.com’ is not trusted.
ERROR: The certificate of ‘googledrive.com’ hasn't got a known issuer.
Any tricks to quickly avoid this? Otherwise I'll look to host elsewhere...
We have never had any issues with hosting on Google Drive, we use that frequently when doing development, you need to make sure your files are public on the web. The url you want to use is the one in the details tab (under the "Hosting" headline) (thanks to Antonio Fontan for mentioning that in the corresponding G+ post). Another alternative that I have used in the past is the App Engine; that is also a good alternative.
Does anyone know what all fields SmartScreen uses for indexing application 'reputation'?
Is it just the public key? Common name as well, or...?
I am mostly interested as far as reputation continuity goes -- should I find a CA which lets me reuse the same public key at renewal, etc.
Thanks
James
This MSDN blog post doesn't directly answer the question, but suggests that there is no such thing as reputation continuity:
"Certificate rollover occurs when your old certificate expires and you begin signing your code with a new replacement certificate; all of your reputation was accumulated against the old certificate, and hence there may be a time lag for your new certificate to acquire a good reputation."
Perhaps they're using the certificate thumbprint itself? If they used the public key to identify a publisher, this wouldn't be a problem.
Is there a way to prove that a communication sent by e-mail or other means comes from the person in control of a website?
I'm talking about something fairly simple. Google, for instance when validating a website for Webmaster Tools or a domain for Google Apps, will ask you to put a code that they supply you into a text file located in the root directory of the website. But what I'm interested in is something that an ordinary, casual computer user could do upon receipt of an e-mail from a website operator to verify its provenance. The website owner may not have control of the domain itself or power to send e-mail from a domain address.
I've been reading up on PGP, but my head is spinning. But for instance, is this scenario possible?:
A long key code is published on the website.
In an e-mail another, different long key code is included.
O.K., now I'm starting to get confused.
I guess what I'm thinking of is that a recipient of a readable, plaintext message could somehow check something contained in the message against something on the website (maybe via an online web app, not any complex software that they would have to install), and they could be confident that the message came from the person in control of the website.
Ideally, this solution would be free as in beer and would not require the website owner to compromise his privacy or anonymity.
Specific recommendations of web apps or Macintosh (or Windows) apps or open source website development tools would be appreciated.
Sounds like you're after a digital signature method: http://en.wikipedia.org/wiki/Digital_signature. Publishing the public key on the website you control and signing emails with the corresponding private key is proof that you control the website.
Note that if the website is compromised in some way, the digital signature can be circumvented by the hacker publishing a different key. Better to buy a certificate from a reliable certification authority who act as a trusted third party to vouch for your identity.