“It’s never good to scare away your customers. It’s even worse if you don’t realize you’re doing it. That was me. Like most folks in the developer community, it’s been years since I last used Internet Explorer as my daily browser. Oh sure, we all keep copies around for web development work, but Firefox, Chrome, and Safari now rule the web roost. Unfortunately, that was not the case with the Blurity userbase.” Wise lesson from Jeff Keacher.
That sort of thing is why, on sites with money involved, I try to borrow a Windows machine to interaction-test every link at least once per version of IE using IETester. (Or the better VirtualPC VHDs Microsoft offers, if the owner is OK with it)
If/when I get the non-POSIX compatibility on my non-web projects mature enough to release Windows binaries, I’ll probably either find a way to bypass those warnings (eg. checking if a Zipped EXE passes through) or only offer source for projects written in languages like Python or put up a big notice saying that it costs money I don’t have to shut up IE’s safety warnings.
(Let naive users assume Microsoft is running some kind of protection racket for all I care. I only sell my time, not products of it which can be duplicated at no cost and were probably written for my own personal use anyway)
Edited 2012-07-14 01:25 UTC
My first child will be here very soon. After reading this, I know I’m going to train her with IE and not those other browsers. I want her to be fearless with her computer, and all the scary false positives with IE will be great training ground for recklessly ignoring pointless, panic inducing signage.
LOL, I would say those pointless, panic inducing dialogs might be a lawsuit waiting to happen. If I were a developer releasing commercial software, and then found out IE was flagging my software as possibly being harmful, thereby causing users to abandon the installation and probably costing me money, I would be pretty pissed. I mean, this could not even really be considered as a false positive.
The scary thing is how easy it is to get rid of those, just sign your executable! O_o What’s to stop malware authors and similar from signing their executables and thus avoiding SmartScreen? Heck, how many times has it already happened?
I’ve had for some time this feeling that software signing really only benefits the signing companies who make people pay for the privilege. The failures of Comodo and Diginotar goes to show what centralized signing authorities are actually worth, but I’m sure that Microsoft must make tons of money by having people pay for the privilege of disabling scary warnings…
A measure need not be technically foolproof to be useful. From a game theory standpoint, the certificate requirement will disproportionately affect malware authors.
Once a certificate is blacklisted, all other malware signed with the certificate will also get blocked. Thus, malware authors only have a limited time window in which to reuse a certificate before it becomes invalid. They essentially have to buy a new certificate every few malware strain released.
Contrast this to the present situation, in which they can release as many variants as they want, for free. Even when one of the strains is detected, the antivirus signature may not block the other strains.
In contrast, non-malware software publishers only need to buy one certificate for all their software — every release, every hotfix.
tanzam75,
Certificates can only identify WHO wrote a piece of code, not what it does or what the author’s intention is. Even the most “trusted” CA’s are compromised from time to time – it’s only ever newsworthy when false microsoft or google certs are issued, but I’m pretty sure this happens every day with other brands that aren’t under a microscope.
Even when certificates are issued legitimately to legitimate developers, how are end users supposed to know this? The certificates really don’t tell us what is safe to install. Furthermore, even signed code from known sources can be compromised, and exploited by hackers. Developers may or may not be aware of it. And even if they are, now they’re faced with revoking the certificate used to sign all their software and potentially cause interruptions for their existing customers (which is why certificates shouldn’t be shared in the first place between all their software like you suggested).
So certificates do help provide some additional trust measures, but they aren’t ideal for security. If you have any doubt about this, just recall the IE COM component debacle – it’s a prime example of why certificate “identity” does not lead to “security”.
We should have more emphasis on fine grained application sandboxing to keep dangerous applications from having their way on user systems, regardless of the code’s “identity”.
In other words, ideally the OS should allow us to download and play a game from any source without concern for the safety of the rest of my files/applications – not much different from how we visit web sites.
Sandboxing (presumably together with users being asked about permissions) will probably just bring “UAC tiredness” – maybe even multiplied, training people to accept everything or to block everything in panic.
No way out of (more or less) walled gardens for general population, I’m afraid.
I can’t believe you rate Safari. Its terribly slow and its UI is a pain to use. Whats with hiding the minimize, maximise and close buttons in circles 2 pixels across. Everybody i know with a Mac deprecate it to the background and load Chrome or some other browser and do nothing but complain about how slow Safari is.
Why would you develop a product for some browser that you prefer while the customers uses something else? Seems way out line, not professional and no need to say more about that (well, I would if you were employed by me). Good that the developer realized his mistake though.
Edited 2012-07-14 08:45 UTC
Did you even read the thing? His application has nothing to do with browser, it is a local executable. The only issue here is that IE thinks the installer is malicious, something the developer had to work around. His application itself works just fine and since the other browsers do not use the hair-brained SmartScreen-filter IE uses he didn’t know of the issue.
If I were employed by you I’d quite likely be really desperate about finding a better job if you can’t even grasp such an easy article as the one here.
Did you read the thing?
His target market is non-technical Windows users. His issue isn’t the dumb SmartScreen(fooled by an SSL?), but rather not knowing his target market.
When you have an important aspect on your site that plays directly with your bottom line – you regularly have to check and test the delivery method to ensure it works on every update (your product, your software, your browser, your site code etc.) – not months later. It has nothing to do with lack of using one browser over another.
Write once, test everywhere.
Lol then find a platform specific bug like Firefox 3.6 OS/X not rendering like Firefox 3.6 in Windows. I came across this and boy did it make my day to learn that I not only had to test in a half dozen browsers but also in another operating system.
No kidding, it’s a huge mess.
I had a client ask me to make changes and not to spend any time testing it with anything other than his browser. It’s not what you think it is either…it’s AOL’s client (no joke), and it actually has a lot of it’s own particular issues. Low and behold, he came back saying all his friends are having trouble with the website on ipads and tablets, devices he hadn’t even asked to target. Of course none of this surprised me, but people like him don’t appreciate how much work is needed to properly test things. All my clients are small and not very deep pocketed, but sometimes I’m surprised at seeing much bigger websites also fail at basic compatibility, even multinational banks.
Compatibility problems should be a thing of the past, but I wonder if we’ll ever be truly free of them.
Not that I am in the legal profession, but the actions of Internet Explorer are a nearly perfect textbook definition of Libel, even though the term “could harm your computer†is used.
If I were to use heavy-handed scare tactics to prevent people from downloading your software by suggesting that it may be dangerous, I would probably be sued into poverty; no matter what my intentions may have been. Why does Microsoft get a free pass at this?
If their product actually scanned the material being downloaded and compared the results to a database of known malware, that is one thing. But to just unilaterally classify anything as dangerous simply because it hasn’t been downloaded all that often or been digitally signed is outright libel.
And in any law-abiding country that respects the rule of law, you could sue for damages. I suggest you do so.
Edited to add: the Blurity blog seems to have shut down their commets system. At any rate, I am unable to get it to work across four types of browsers running on five different devices. Hence, my comment here instead of on their site.
Edited 2012-07-16 19:23 UTC
Yeah, not using IE can really put you out of touch with many users, esp. naive end users.
But the price! Ugghhh… I’d rather remain out of touch!