SmartScreen, what now?
You might have noticed this message pop up a couple of times if you’ve ever tried to run a file you just downloaded on your Windows computer:
This pop-up essentially blocks you from running any unsigned executable files because, as the message puts it, Windows does not recognize the application. In most cases, this is actually a good thing! Users of Windows might now start to hesitate on whether or not the thing they just downloaded and are trying to run isn’t going to harm their system. There’s a reason Windows has been known to have so much malware and a big part of that reason is because the operating system itself allowed applications to gain complete system access in older versions. That all improved with the addition of User Account Control, but still did not solve the problem entirely.
UAC, or User Access Control, would display a message on the user’s screen if an application needed certain rights that might be dangerous or change certain parts of the Operating System itself. A user would then have the option to either accept or reject said request. This is a good thing, because now whenever something sensitive could get changed, at least a user would have been aware of that fact and also which application it was that was trying to perform those changes. As time went on, users quickly became less and less aware of these messages and simply clicked ‘Yes’ without even reading the actual messages anymore. Thus, giving applications full access to the system once again. There are of course, exceptions to this rule. The amount of malware infections might have decreased at first, but quickly went up again. Thus, in essence, achieving nothing but annoyance.
Long live SmartScreen
Along came Windows SmartScreen, a new feature in Windows that essentially, with the help of Windows Defender, scans all the downloaded executable files on a computer and sends them over to Microsoft for analysis (this can be turned off, of course in your Windows Defender settings). The thing is, though, that this SmartScreen protection can be circumvented simply by singing your application. As long as you proved who you were, as long as you proved that the software the users downloaded to their computers comes from YOU, as verified by the signature in the executable, Windows does not bother the user with this SmartScreen popup and simply allows UAC to take over if need be. This all seems like a great idea, until you come to the point of open-source developers that release their software free of charge to the entire world. The entire reason open source developers have such an issue with SmartScreen is because it makes it very hard (or obfuscated if you will), for a normal computer user to simply ‘run’ an executable if he or she wants to because he or she trusts the application.
What about open-source developers?
Unfortunately for us, open-source developers, this is scaring off a lot of our potential users. You see, having to sign your executable files isn’t free. Let’s Encrypt might have made SSL signatures a lot easier (and more notably free) to acquire for https connections to websites but for us, open-source software developers, acquiring a software signing certificate costs a lot of money. And I do mean a LOT. Just quickly glancing over the prices today, I found DigiCert offering certificates for a single year for the amazing price of $499 USD. Of course, there are alternatives offering certificates for half that price, but still. You get the point. Open-source developers don’t have that kind of money laying around to pay, year after year in order to avoid these pop-ups. Just to compare, This website alone costs about $50 USD to host each year. The donations we received have essentially paid for a full year of CodeDead’s uptime. What’s more, any malware developer who’s good at spreading his malware can easily gain that money through his or her malicious practices and use said money to buy a certificate and sign their malware, completely bypassing the SmartScreen feature in Windows. Or worse, certificates can be stolen, applications can be modified by hackers before they are signed, etc. To give you an example just take a look at what happened to CCleaner in 2017.
Is there a solution?
That’s not to say that this ‘Smart’Screen message will always pop-up. If, some magical number of people download an application, then Microsoft will reconsider the warning and stop it from showing. So, that leaves us open-source devs with a couple of options.
- Accept it and simply tell their user-base to wait it out until enough people have downloaded the application
- Buy a certificate
I’m pretty sure most open-source developers would go for option one. So do we. Now, we’re not saying that SmartScreen is a bad idea. It has probably stopped a lot of malware from infecting computers. That is why we’re writing this blog post, to let you know that if you do happen to see this message pop up on your screen, there’s still a way to run the executables.
Simply click the ‘More info’ text that is displayed in the SmartScreen pop-up, in order to run the application that we’re offering you:
From there, you should be good to go.