EV Shield (c)DigiCert

Bitsum Acquires EV Code Signing Certificate

Our existing code signing certificate was due to expire this year, so it was time to renew. This time around we found the certificate authorities were advertising Extended Validation (EV) code signing certificates, which are a-kin to EV/OV SSL (TLS) certificates that result in the larger green bar on some web sites. Extended Validation means the certificate authority, Symantec in our case, went through extensive steps to validate the identity, physical location, and contact information of the business. In short, they made sure we are who we say we are.

Further, EV certificates are held by a hardware token, basically a custom-type password protected USB thumb-drive that communicates with the OS via installed device drivers. This device is protected itself by a password that must be entered either once per use, or once per session. In this way, it’s more secure than a file-backed certificate stored in PFX or some other format. It not only deters any sort of casual sharing, but prevents such. This helps keep the certificate tightly controlled, as it should be!

We’ve introduced this new level of code signing in our most recent beta of Process Lasso v8. Most users won’t notice a difference since we have a good history with our existing certificate, so it’s already well trusted in the industry. One of the advantages of an EV certificate is that it comes with some pre-built trust just for being an EV certificate. Of course, that doesn’t mean it’s blindly trusted, but it’s one more deterrent to annoying false positives and SmartScreen Filter warnings.

Advice to other developers:

  • Are EV certs worth the extra cost? Absolutely. You really have to get one if you are a Windows developer. Yes, I know they are expensive, but so is your MSDN subscription (if you have one). It’s just expensive to be a Windows developer, something that is reflected in the true consumer cost of Windows software (I say true cost to account for supplemented revenue streams such as the hated installer bundle).
  • Is Symantec better than DigiCert? I don’t know for sure on this, but went with the more expensive Symantec because they are the reigning kings of digital certificates, after buying up most of the big players a few years ago. I figure you get what you pay for, BUT it may be that DigiCert’s cheaper certificates would do just as well.
  • How long a term should I get? The longest you can afford, or the maximum allowed of 3 years. You want to change code signing certificates as infrequently as possible to establish a history with the security companies.
  • In short – don’t go cheap on certificates! The one mistake I made last year was not getting an EV wildcard SSL certificate for our web servers. Microsoft’s Edge browser now treats these even more favorably than it did in the past when compared to how it displays Domain Validated (DV) SSL certificates. When we’re next up for renewal in 2018, you can bet I’ll make this change to EV.

Do note that you will have to present who you actually are when getting an EV cert. This may seem obvious, but a surprising number of businesses hide even their domain’s WHOIS information. It’s pretty bizarre to me, and I suspect done partly so that small companies can pretend to be larger than they are.

We at Bitsum want customers to know exactly who we are, and don’t pretend to be anything we aren’t.