MSInfluentials
A new blog site for influential people
Jesper's Blog » How to remove the security warning, or should you?

How to remove the security warning, or should you?

This morning there was an interesting question in the Windows Vista Security Newsgroup. The poster had written an application that users were downloading. However, when they ran the application they received a warning dialog, like this one:

The poster wanted to remove this warning dialog to avoid confusing users.

This dialog is created because Internet Explorer, and some other applications, add a bit to the file to mark it as being downloaded from the Internet. It serves as a warning that this may be untrusted content. If the file is digitally signed, the warning does not have the red shield, and the publisher is listed in the dialog, but otherwise it stays the same. The poster asked if getting a digital certificate and signing the executable would get rid of the warning. It will not. This warning is there to warn the user. I think it is an important safety mechanism, and that, rather than trying to remove the warning, which is possible, we should help the user understand it. Therefore, here is my response:

You should definitely digitally sign the application no matter what. However, that will not remove the warning. It just will have your (or your company's) name in the dialog and won't say "Unknown Publisher."

Technically, there is a way to get rid of this warning, but it is there as a warning to end users. If you remove it here, you would also remove it for all other executables. That would put your users at significant risk. If you programmatically remove that warning, you would be responsible for putting them at significant risk; a responsibility that I am pretty sure you do not want to accept.

Rather, I would suggest that you take the opportunity to educate your users. Teach them that the warning is there so that they can assess whether they want to accept the risk involved in opening applications off the Internet. In this case, you have digitally signed the application so they can trace it to you and have assurance that they are, in fact, opening a trusted application. Anytime they get a dialog like this they should evaluate it and see if they really want to accept that risk or not. If the publisher is unknown, they have no way to tell who wrote the application, and should consider it a higher risk.

Read the complete post at http://msinfluentials.com/blogs/jesper/archive/2008/04/21/how-to-remove-the-security-warning-or-should-you.aspx

Posted Mon, Apr 21 2008 1:10 PM by Jesper's Blog
Filed under:

All postings are copyright Jesper M. Johansson or Steve Riley, in the year they were made. These postings are provided "AS IS" with no warranties, and confer no rights. All postings are the sole opinions of Jesper M. Johansson or Steve Riley and do not reflect any official opinion of anyone else with whom the poster(s) are affiliated or has been affiliated in the past. Use of included code samples is permitted for non-commercial use, with no warranties of fitness express or implied. All use of any information or code snippets posted in this blog at the user's sole risk. The blog site would like to thank www.ownwebnow.com and www.exchangedefender.com for their support.
Powered by Community Server (Commercial Edition), by Telligent Systems