Jump to content
#ifdef

Do I really need a certificate?

Recommended Posts

image.thumb.png.869fd78e3aa346cea6e459fb1dd25e84.png

 

image.thumb.png.dc5e6c751e44fcefadcb514ffc3d28aa.png

 

image.thumb.png.a54211eec0678fee57d77bd49ca350c8.png

 

[source]

 

I have a harmless Windows-application but won’t it turn out that even with a certificate it will be recognized as malicious (like one popular FTP client)?

Share this post


Link to post

Maybe but... What does this change? Is this still a file from the official website with sources?

Edited by #ifdef

Share this post


Link to post

The certificate is there to show that someone feels responsible for this file. And is confident enough to stick his name to it. Since then it has not been altered.

Share this post


Link to post
1 hour ago, Sherlock said:

The certificate is there to show that someone feels responsible for this file. And is confident enough to stick his name to it. Since then it has not been altered.

... and cares enough, to spent some significant amount of money and lately effort on buying and using one.

  • Like 1

Share this post


Link to post

Indeed, I own a certificate and nothing is prohibiting me from adding a virus / spyware /adware or anything harmful whenever I want.

 

You mentioned the sponsored version of FileZilla which seems to include some questionable content: some anti-viruses seem to treat it as harmful, while others seem to report it as Adware. It doesn't matter if it has been signed or not.

 

Regarding to the importance of a code signing certificate, it depends how you plan to distribute your application and your target audience: Windows will try to discourage people from installing applications which are not signed, and some people such as myself, will hardly if not ever (without extra precautions such as VMs) run any non-signed EXE software.

 

You have access to plenty of documentation about the benefits of code signing online: https://www.digicert.com/signing/code-signing-certificates

 

Your choice!

  • Like 1

Share this post


Link to post

image.png.9994791117820b314ec038d2a2fa7a38.png

That's not a code-signing certificate, that's just a time-stamped certificate.

 

A code-signing certificate looks like this:

image.png.8c7f555d27c5b400ded3b05094a97d79.png

 

 

Edited by Nigel Thomas
info update
  • Like 1

Share this post


Link to post

Code signing doesn't guarantee that the file is virus free - it just proves that the file was signed with your (hopefully secured) certificate - ie the file came from who it said it comes from. 

 

As @Nigel Thomas said, your screenshot is of the timestamp certificate not the actual code signing certificate. 

 

Just for giggles I downloaded that file (in a dmz'd vm) and even windows defender doesn't like it. It's probably not a virus, just full of adware or potentually unwanted products. That said, I wouldn't actually install it.  

Share this post


Link to post

I've used FileZilla for some time. I've just checked my latest installation:

 

Version 3.66.5

 

Signature:

 

image.png.b333f8ad28f7ca98be644e27620e1d9a.png

 

VirusTotal:

image.thumb.png.1f684dfbbbb4bb1fb25b2227a3e4feee.png

 

As @Vincent Parrettsuggests, the installer referenced by the OP may indeed bundle "sponsorship" software. Each time FileZilla updates it shows a sponsorship screen stating who sponsored the latest update - but it's only shown the once and is not intrusive.

Edited by Nigel Thomas
info update
  • Like 1

Share this post


Link to post

Yeah the filezilla download page is a bit disengeneous with that download button, it does however say (much smaller than the button) "This installer may include bundled offers. Check below for more options."

 

which leads to this page

 

https://filezilla-project.org/download.php?show_all=1

 

where you can download an installer that doesn't trigger windows defender or malwarebytes

  • Like 3

Share this post


Link to post

I do use FileZilla for years now, but can't remember the last time i downloaded it from its site !

And from the screenshot of VirusTotal, the classified it as AdWare, RiskWare... not really as malicious as it sound but yet there is a BundleWare (have the ability to download and run) that comes from different developer included in that setup.

 

I recommend to use the portable version from https://portableapps.com/apps/internet/filezilla_portable

But by using only the portable application we lose the ability to update in time, so i recommend to use portable platform itself, it does manage these applications nicely, https://portableapps.com/

 

The selling points of this:

1) they are in one place, and with one click the launcher can check and update them.

2) They are portable, meaning if you switch windows or copied that folder in its whole, it will work on any Windows with all the settings, history... as the user used it.

Share this post


Link to post

image.thumb.png.6b147ffc4e4df47298075f21824b26f9.png

 

[source]

 

It's funny because in the first time upload it seems was looks like a normal installer (not sponsored).

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×