Adobe AIR-Is a self signed app OK? - air

I want to develop an app using Adobe AIR. But I have to sign it using a code signing certificate. I don't wan to buy a code signing certificate. Would it be OK if I distribute my app with a self-signed certificate?

The only difference between using a real certificate and a self-signed certificate is what the user sees in the initial installation dialog. With a real certificated they'll see a yellow "!" and the app will shown to be of "KNOWN" origin, and your company name will be shown. With a self-signed cert, there will be a red "?", and it will say the app's publisher is "UNKNOWN". You can see samples of the two dialogs at the very bottom of this page.
So realistically, it comes down to whether you're okay with people seeing a scary warning at install time. If you're only offering up the apps as a "use at your own risk" thing, or the app will be used mainly by a small group of people who already know who you are (an internal company app, e.g.) that may not be an issue, but if you hope for random internet people to come use your app and trust it, a cert may be a good idea.

That depends on your definition of "OK", but most likely no.
A self-signed certificate will not have been issued by a trusted CA, and your certificate will be considered untrusted by the client. I don't think (but have not tested) that the user is actively prevented from installing an app with an untrusted certificate, but they would at least get a warning, and that doesn't give your user a good first impression of your app.
If it's just for yourself or for a small group of people who know and trust you, then a self-signed certificate is most likely not a problem, but if you're distributing it to the world, you will almost certainly prefer a proper certificate.

I have recently looked into developing an Air App for the company to distribute to customers. On OSX Mavericks - on my mac and my designer's mac a red warning signs pops up stating that we are an unknown publisher - This was using the self signed certificate. The whole process was clunky with the installation, I had to verify that we were legitimate, as this warning sign inferred we were a looking to distribute something underhand.
From a marketing perspective this looked terrible.
In addition to this I managed to find someone to test the whole process of downloading the air app with a self signed cert on windows with an 'average' amount IT skills and this is what they said:
"Nah I didn't download it... it looked like it wanted to put a virus on my computer." And that is where download ended.
Currently we are looking to get some seal of trust on the application for distribution purposes.
Verisign, Thawte look interesting, although costly.
http://www.symantec.com/code-signing/adobe-air
https://www.thawte.com/code-signing/
Or read this page for more information
http://help.adobe.com/en_US/air/build/WS5b3ccc516d4fbf351e63e3d118666ade46-7ff0.html

Related

Building installer Reputation with Windows SmartScreen

In recent years it has become impossible to have a downloadable windows app without using an SSL cert to sign your install executable so that Windows SmartScreen doesn't put up warnings (and even delete the file) when clients download it.
There are two types of SSL certs that you can use:
A regular Cert which can be for either a company or an individual.
An EV Cert, which costs 3x as much and can only be issued to a company.
The problem with the regular cert is that is doesn't immediately get you past SmartScreen. You have to "build your reputation" first... which I believe means you have to have enough people download your product (possibly downloading it specifically with Microsoft Edge browser) that they start to believe you are not a virus maker or some such thing.
The problem is, I cannot find any guidance anywhere on how long it takes to build a "reputation". 10 downloads? Easy 50 downloads? Sure. 10000 downloads? That would require spending a lot of money on an advertising campaign that would not convert.
Does anyone have any experience that could help narrow this range down?

Issue loading my site in https

recently, I ordered a SSL certificate for my website. Prior to that, everything worked fine for me, the website was fast and I had no issue. Since the certificate has been installed by OVH... Well... Things changed... The issue is that not everybody has the same behaviour as me. When I go on "https://www.areaprog.com/" with different browsers, here is what I get:
Chrome:
"Your connection is not private
Attackers might be trying to steal your information from
www.areaprog.com (for example, passwords, messages or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID"
Firefox:
"This connection is untrusted
You have asked Firefox to connect securely to www.areaprog.com, but we
can't confirm that your connection is secure.
Technical details:
www.areaprog.com uses an invalid security certificate.
The certificate is only valid for ssl2.ovh.net
(Error code: ssl_error_bad_cert_domain)"
Internet explorer:
"The security certificate presented by this website was issued for a
different website's address.
Security certificate problems may indicate an attempt to fool you or
intercept any data you send to the server."
I asked to OVH and everything is fine for them and apparently, it is also the case for other people out there (I asked around to see if I was the only one), but other people also experiences the same issue...
Moreover, Firebug keeps on saying:
"This site makes use of a SHA-1 Certificate; it's recommended you use
certificates with signature algorithms that use hash functions
stronger than SHA-1"
Besides, for people who are experiencing this issue, well, the site is extremely slow. For me, a simple page takes more than 20 seconds to load...
Does some of you have the same issue than me and does someone have an idea of what to say to OVH who keeps telling me that everything is OK?
Thanks a lot

Local site testing with BrowserStack and self-signed certificates

I have started looking into testing our site with BrowserStack.
However, I'm having issues with live-testing (as opposed to automated testing with Selenium, which mostly works fine) a site we're developing as we're serving it with a self-signed certificate.
Manually approving the certificate doesn't bother me as much as the fact that some Ajax request are failing (at least on IE10) due to security issues and this makes it impossible to actually manually test the site.
An acceptable solution would be to somehow add our self-signed cert. into the list of trusted root CAs. However, I haven't found out how to upload files into the BrowserStack test environment (not sure if that's even possible, really).
Any ideas ?
I contacted BrowserStack about this issue, and their formal response is:
"We currently do not support installing client certificates on the remote machines. However, this is on our list, and we’ll keep you posted."
Hopefully this issues will be resolved soon and I'll post a different answer here.
April 2021 update:
BrowserStack has shipped a toggle to trust self-signed certs.
It is available on iOS and Android devices for now.
When it happens, open the "Network" tab, and open in a new tab the request which is failing. If it is "just" a certificate issue, you would then be able to bypass the warning. Then, your request should work correctly.
When the "Cannot Verify Server Identity" dialogue pops up, click details, then 'Trust'. This will work if all calls are to the same domain as the website.

Yellow Triangle Message

I am the owner of myhomeworkhelp.com and we had taken SSL certificate for our business website. We are getting Yellow Triangle Messages in all webpages, but the main problem is if you will open my website on Firefox, Torrent and IE it will not give Yellow Triangle Message but when we come on Chrome, it gives Yellow Triangle Message. We tried to find a solution for this. We had talked hosting company, SSL provider and our website developer, but every one saying all is fine. Can you help me to fix this issue?
Let me know if you have question
Your certificate uses old unsafe security setting (SHA1 signature) and Google Chrome decided to warn about it since Jan 1.
Ask for a new SSL certificate with SHA256 signature.
you may find the following useful:
https://support.servertastic.com/the-site-is-using-outdated-security-settings-that-may-prevent-future-versions-of-chrome-from-being-able-to-safely-access-it/
&
https://support.servertastic.com/deprecation-of-sha1-and-moving-to-sha2/
On chrome its just a warning to let you know that they are transitioning to SHA-2 ( SHA256 ) support and notifying about the older less secure methods used by your existing SHA1 cert.
All is currently fine but you may want to move stuff over to 256 to remove the triangle on chrome, it will probably happen on other browsers soon as well. :)

Digitally Signing Install Shield installer

I was recently given a VB.NET project for fixing some bugs and creating an installer for it. I was told to use Install Shield LE.
All went well with creating the install script but Windows 8 is giving me a smart screen warning when downloading the application from a web site and trying to install it.
I am aware of Windows 8 policy where popular applications get more "trust points" and become popular but the application is targeted for a fairly small audience of people therefore we can not rely on this option. Even more, people without proper knowledge would be repelled by the warning message and that could cause MS to never raise the trust for the application.
My question is, do I have to sign both - the application and the installer with a certificate? If so how do I sign the installer, as there is a signing tab for the project but I can't find one for the installer.
Bonus points if anyone can tell me if acquiring a proper certificate will remove the warning message telling this isn't a commonly downloaded file and might be dangerous from chrome/IE when downloading the application. There are many threads about this, I know, but most of them suggest adding the site to webmaster tools but that hasn't helped and we're still receiving the message
Thanks.
If I have read your post correctly then you are talking about an application as opposed to a website, and for that you would need a code signing certificate. Certificates that sign websites are different so first and foremost decide what it is that you are producing and want to sign.
Having decided that then you need to decide who you will use to supply your certificate. Typical sources would be VeriSign, Thwaite or Globalsign to name but three. All charge different prices but essentially do the same thing.
Once you have the certificate then the installer that you use to build your application signs the code files you select and the actual installer (msi or exe) itself.
That should eliminate the message that you now see warning people about potentially dangerous files that they are about to download.
I cannot stress enough however that you need to be clear about which type of certificate you need BEFORE you go ahead and buy one. I think from your description you are talking about a code signing certificate but do check first.
Following CAB forum regulation you will need to have an Extended Validation code signing in order to bypass the smart screen filter.
Extended Validation code signing will establish immediate trust with the machine, as you go through a more stringent validation process to obtain it! (or at least that's the rationale behind it!)
I think you can get an extended validation code signing either from SYmantec or GLobalsign.