matthias_livecode_150811 wrote:
> Don't blame Microsoft and Apple
I'm not sure anyone here is. Jumping through hoops is painful, of
course, but I think the folks here recognize that having their data and
devices compromised is even more painful.
> And purchasing a code signing certificate for Windows here in Germany
> was also not very easy years ago, especially for independent
> developers.
> It was not just purchasing it in an online store. After purchase i had
> to proof my identity through a notary agency. Comodo contacted my
> lawyer/notary and asked for a confirmation that i am a real person.
> Therefor i had to visit the notary office, show my papers to get
> authenticated. So i had not only pay for the certificate, but also
> for the authentication through the lawyer/notary.
> Thanks god, now Comodo is using public business registers for
> confirmation and luckily i am listed in one of them now. So the
> authenticaton process is much faster and without any additonal costs.
That's a valuable story. It's good to see security taken seriously, and
even better to see where the process is tailored over time as the
balance between threats and remedies becomes ever more finely tuned to
shift the burden to larger stakeholders with the resources to handle it
well.
Once upon a time SSL certs were expensive and cumbersome to obtain. Now
we have projects like Let's Encrypt, which provide strong SSL certs
automatically updated not just annually but every 90 days, for free.
The change was moving the burden from individual web site owners to
bigger players who are also stakeholders, ISPs and ad-supported industry
giants who need a safe web to thrive. They have vast resources beyond
what indies have to put on the problem, and centralized solutions can be
handled by experts with good implementations and fewer errors.
I expect over time we'll see initiatives in the app space evolve this
way as well, with OS vendors and other bigger stakeholders actively
investing in ways to make it ever easier for indy devs to deploy safe
software.
In a smaller but no less helpful way, Mark Waddingham's comment
demonstrates the value of centralizing security process where practical:
...this is probably best done by improving the standalone
building process (i.e. making it as easy as possible)
rather than anything else.
> As a customer btw i really prefer secure software. I know that even
> with those security achievements software is not 100% secure, but more
> secure than without any notarization/code signing.
The listing of Common Vulnerabilities and Exposures (CVEs) at
CVEDetails.com is a good reminder of growth in both scope and
sophistication of attacks:
https://www.cvedetails.com/product/156/Apple-Mac-Os-X.html?vendor_id=49
At first glance, one might see futility in the steady increase of CVEs
against macOS growing nearly every year while Apple has made deployment
ever more cumbersome.
But a brief pause to think about it reveals the deeper truth: imagine
how many vulnerabilities would be exploited if OS vendors weren't adding
hoops for deployment to jump through.
--
Richard Gaskin
Fourth World Systems
Software Design and Development for the Desktop, Mobile, and the Web
____________________________________________________________________
ambassa...@fourthworld.com http://www.FourthWorld.com
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
