matthias_livecode_150811 wrote:

> Don't blame Microsoft and Apple

I'm not sure anyone here is. Jumping through hoops is painful, of course, but I think the folks here recognize that having their data and devices compromised is even more painful.

> And purchasing a code signing certificate for Windows here in Germany
> was  also not very easy years ago, especially for independent
> developers.
> It was not just purchasing it in an online store. After purchase i had
> to proof my identity through a notary agency. Comodo contacted my
> lawyer/notary and asked for a confirmation that i am a real person.
> Therefor i had to visit the notary office, show my papers to get
> authenticated.  So i had not only pay for the certificate, but also
> for the authentication through the lawyer/notary.
> Thanks god, now Comodo is using public business registers for
> confirmation and luckily i am listed in one of them now. So the
> authenticaton process is much faster and without any additonal costs.

That's a valuable story. It's good to see security taken seriously, and even better to see where the process is tailored over time as the balance between threats and remedies becomes ever more finely tuned to shift the burden to larger stakeholders with the resources to handle it well.

Once upon a time SSL certs were expensive and cumbersome to obtain. Now we have projects like Let's Encrypt, which provide strong SSL certs automatically updated not just annually but every 90 days, for free.

The change was moving the burden from individual web site owners to bigger players who are also stakeholders, ISPs and ad-supported industry giants who need a safe web to thrive. They have vast resources beyond what indies have to put on the problem, and centralized solutions can be handled by experts with good implementations and fewer errors.

I expect over time we'll see initiatives in the app space evolve this way as well, with OS vendors and other bigger stakeholders actively investing in ways to make it ever easier for indy devs to deploy safe software.

In a smaller but no less helpful way, Mark Waddingham's comment demonstrates the value of centralizing security process where practical:

   ...this is probably best done by improving the standalone
   building process (i.e. making it as easy as possible)
   rather than anything else.

> As a customer btw i really prefer secure software. I know that even
> with those security achievements software is not 100% secure, but more
> secure than without any notarization/code signing.

The listing of Common Vulnerabilities and Exposures (CVEs) at is a good reminder of growth in both scope and sophistication of attacks:

At first glance, one might see futility in the steady increase of CVEs against macOS growing nearly every year while Apple has made deployment ever more cumbersome.

But a brief pause to think about it reveals the deeper truth: imagine how many vulnerabilities would be exploited if OS vendors weren't adding hoops for deployment to jump through.

 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web

use-livecode mailing list
Please visit this url to subscribe, unsubscribe and manage your subscription 

Reply via email to