New(?) Idea for Standalones

Richard Gaskin ambassador at fourthworld.com
Mon Mar 29 14:01:06 EDT 2021 

matthias_livecode_150811 wrote:

 > Don't blame Microsoft and Apple

I'm not sure anyone here is. Jumping through hoops is painful, of 
course, but I think the folks here recognize that having their data and 
devices compromised is even more painful.



 > And purchasing a code signing certificate for Windows here in Germany
 > was  also not very easy years ago, especially for independent
 > developers.
 > It was not just purchasing it in an online store. After purchase i had
 > to proof my identity through a notary agency. Comodo contacted my
 > lawyer/notary and asked for a confirmation that i am a real person.
 > Therefor i had to visit the notary office, show my papers to get
 > authenticated.  So i had not only pay for the certificate, but also
 > for the authentication through the lawyer/notary.
 > Thanks god, now Comodo is using public business registers for
 > confirmation and luckily i am listed in one of them now. So the
 > authenticaton process is much faster and without any additonal costs.

That's a valuable story.  It's good to see security taken seriously, and 
even better to see where the process is tailored over time as the 
balance between threats and remedies becomes ever more finely tuned to 
shift the burden to larger stakeholders with the resources to handle it 
well.


Once upon a time SSL certs were expensive and cumbersome to obtain.  Now 
we have projects like Let's Encrypt, which provide strong SSL certs 
automatically updated not just annually but every 90 days, for free.

The change was moving the burden from individual web site owners to 
bigger players who are also stakeholders, ISPs and ad-supported industry 
giants who need a safe web to thrive.  They have vast resources beyond 
what indies have to put on the problem, and centralized solutions can be 
handled by experts with good implementations and fewer errors.

I expect over time we'll see initiatives in the app space evolve this 
way as well, with OS vendors and other bigger stakeholders actively 
investing in ways to make it ever easier for indy devs to deploy safe 
software.

In a smaller but no less helpful way, Mark Waddingham's comment 
demonstrates the value of centralizing security process where practical:

    ...this is probably best done by improving the standalone
    building process (i.e. making it as easy as possible)
    rather than anything else.



 > As a customer btw i really prefer secure software. I know that even
 > with those security achievements software is not 100% secure, but more
 > secure than without any notarization/code signing.

The listing of Common Vulnerabilities and Exposures (CVEs) at 
CVEDetails.com is a good reminder of growth in both scope and 
sophistication of attacks:

https://www.cvedetails.com/product/156/Apple-Mac-Os-X.html?vendor_id=49

At first glance, one might see futility in the steady increase of CVEs 
against macOS growing nearly every year while Apple has made deployment 
ever more cumbersome.

But a brief pause to think about it reveals the deeper truth: imagine 
how many vulnerabilities would be exploited if OS vendors weren't adding 
hoops for deployment to jump through.

-- 
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  Ambassador at FourthWorld.com                http://www.FourthWorld.com

More information about the use-livecode mailing list