It’s not a secret the computer and Internet have become the bare necessities of modern life: Many of us are used to relying on these technologies for myriads of important activities, including work, banking, shopping, personal and business communication. And, to say the least, it’s not really fun when your PC suddenly starts acting like a slowpoke or just behaving stark raving mad: it can be actually so annoying that you end up hating the whole world and everyone in it. The most common reason for such havoc is malware that somehow always finds a way to sneak into your system.
The term malware is used to describe a broad category of damaging software such as viruses, adware, spyware, worms, Trojan horses, etc. Many of such programs can reinstall themselves even after you have removed them, or hide deep within Windows, being very difficult to get rid of and causing everything from simple irritation or software/hardware crashes to all kinds of identity theft. Of course, anti-virus developers are constantly racing against hackers in a never-ending effort to stand up to their malicious attacks, but, if truth be told, the best way to combat malware is simply to prevent it from ever being installed.
As a matter of fact, malware is often hidden in the software or shareware you download from the Internet. That’s why before installing any program you’ve downloaded, it’s important to make sure that it id trustworthy. But how can one determine that? No, it is not about your gut feeling. The digital signature lets you know the origin of the program so that you can verify who created it and decide whether it is safe to install or run. It also protects its code from being changed or corrupted and prevents hackers from distributing their destructive software using someone else’s name. To make things clear, let’s find out how digital signing works.
A digital signature is actually based on a digital certificate. It is an electronic document issued by a trusted third party called certificate authority, which verifies a software developer’s identity, who, in turn, submits certain proof documentation and signs a pledge not to distribute malicious code. When this certificate is requested, a pair of special keys is generated, which consists of a public key and a private one. The private key stays on the requester’s computer and is not shared with anyone, while the public key is submitted to the certificate authority with the certificate request. After the certificate is issued, the developer signs his/her code using the private key associated with that public key.
When you download the signed code, you get a copy of the certificate verifying the identity of the author/publisher. Your browser then verifies the digital signature, and your system knows that the code did indeed come from that particular developer. If the developer’s private key becomes compromised, the certificate can be revoked and the certificate authority will issue a new certificate to the developer, who will then sign the code with this new private key.
If a file gets corrupted during download, infected by malware or modified by someone else, the digital signature becomes invalid, as a digitally signed program cannot be altered in any way without invalidating the digital signature. Thus, if the digital signature is fine, you’re assured that the program is exactly as it was when the developer signed it. But where can the ordinary user find and check that mysterious signature? Fortunately, you don’t need expert knowledge or special training.
Remember those annoying Windows (User Account Control) pop-ups that warn us about the risks of installing or running unsigned applications? Yes, everyone has probably seen this type of alert, however, for some reason, we decide to ignore them and allow the file to run anyway without a second thought. But, as it turns out, UAC shows a different dialog box for digitally signed software and non-signed one, protecting your PC from possible harm caused by suspicious software. Sure, a hacker is also theoretically able to get a code signing certificate and sign a virus, but that makes him or her legally accountable for such actions. And why should they even bother if there is still an army of users who will carelessly click “yes” without even reading the UAC message?
To put it briefly, when downloading any software onto your computer, one should pay attention to its digital signature. If an application is being distributed anonymously or by some questionable company, you should really think twice for it is very likely to trick you into installing things you don’t want, and you never know what you may end up with. Remember the old proverb? Prevention is better than cure. Thus, make sure that you download programs that come only from reputable sources.