How to remove the security warning, or should you?

This morning there was an interesting question in the Windows Vista Security Newsgroup. The poster had written an application that users were downloading. However, when they ran the application they received a warning dialog, like this one:

The poster wanted to remove this warning dialog to avoid confusing users.

This dialog is created because Internet Explorer, and some other applications, add a bit to the file to mark it as being downloaded from the Internet. It serves as a warning that this may be untrusted content. If the file is digitally signed, the warning does not have the red shield, and the publisher is listed in the dialog, but otherwise it stays the same. The poster asked if getting a digital certificate and signing the executable would get rid of the warning. It will not. This warning is there to warn the user. I think it is an important safety mechanism, and that, rather than trying to remove the warning, which is possible, we should help the user understand it. Therefore, here is my response:

You should definitely digitally sign the application no matter what. However, that will not remove the warning. It just will have your (or your company's) name in the dialog and won't say "Unknown Publisher."

Technically, there is a way to get rid of this warning, but it is there as a warning to end users. If you remove it here, you would also remove it for all other executables. That would put your users at significant risk. If you programmatically remove that warning, you would be responsible for putting them at significant risk; a responsibility that I am pretty sure you do not want to accept.

Rather, I would suggest that you take the opportunity to educate your users. Teach them that the warning is there so that they can assess whether they want to accept the risk involved in opening applications off the Internet. In this case, you have digitally signed the application so they can trace it to you and have assurance that they are, in fact, opening a trusted application. Anytime they get a dialog like this they should evaluate it and see if they really want to accept that risk or not. If the publisher is unknown, they have no way to tell who wrote the application, and should consider it a higher risk.

Update, April 22, 2008:

Based on the comments, is quite obvious that I was not clear enough in the post.Yes, IE adds a flag to downloaded file through alternate data streams, and there are tools that can show you those streams, and even the built-in unzip tool in Windows adds the same flag if the archive that was unzipped has the flag set. The point, however, was not how a very technically savvy user can download an advanced tool and manually review the alternate data streams, and possibly remove them. If all you want to do is remove that flag it would be far simpler, in fact, to uncheck the box in the dialog for "Always ask before opening this file"; although maybe inspecting and twiddling with alternate data streams would be more satisfying for some segment of computer users.

The point I was trying to make was that a lot of people in the tech community focus on hiding warnings from the user so that the user is not bothered, ostensibly with data they are not competent to parse. That is wrong. There are very good reasons for these warnings in many cases. Rather than trying to prevent users from seeing them we all need to do our part to help users understand what they are seeing and make appropriate decisions based on that data. That would provide a savvier user base and a more secure eco-system in the long run. We cannot keep focusing on preventing people from making risk management decisions any longer. If we do, eventually, they will realize they do not have the skills to do so, and that nobody is willing to help them aquire those skills. At that point, the eco-system will be in danger of collapse.

Published 21 April 2008 11:10 AM by jesper
Filed under:

Comments

# Scotte said on 21 April, 2008 01:39 PM

"Anytime they get a dialog like this they should evaluate it and see if they really want to accept that risk or not. If the publisher is unknown, they have no way to tell who wrote the application, and should consider it a higher risk."

In other words, "Anytime they get a dialog like this, they should evaluate it and see if they really want to see the naked dancing pigs."

# jesper said on 21 April, 2008 02:17 PM

Yes Scotte. I know I have spoken many times about the naked dancing pigs, but the fact of the matter is that there is no other way to be safe than to think about what you are doing. Rather than trying to pretend there is, and hiding important information from users, we must help them understand that information. There are a lot of dialogs that could be improved, and we need to figure out how. But, we also must start a concerted effort to get users to understand that no technology can ultimately take responsibility to protect them. Just like when you get into a car and chose whether or not to put on the seat belt, opening an application from the Internet is a calculated risk that you evaluate. Users are no more or less capable of evaluating that risk than they are evaluating whether they ought to wear a seat belt or not.

# ac said on 21 April, 2008 06:04 PM

It is possible to do it on a per download basis, just remove the alternative data stream aka the mark of the web (Ofcourse, if you are the app that was just downloaded, this will not work)

# Aaron Margosis said on 21 April, 2008 07:51 PM

What "ac" said.  The easiest way to do this is to browse to the containing folder in Windows Explorer, right-click the file, choose "Properties", and on the General tab, click the "Unblock" button.  Note that you have to do this to downloaded CHM files if you want the CHMs to work at all.  (I run into this all the time with the Sysinternals tools.)

# jesper said on 21 April, 2008 08:16 PM

Obviously it is possible to do on a per-download basis. In fact, you can do it much more easily by simply unchecking the "Always ask before opening this file" checkbox on the dialog above. However, in this case, the discussion was more about whether this dialog serves a purpose at all and can be generally removed so it does not recur when someone downloads a new version of the file.

# cj said on 22 April, 2008 10:07 AM

Internet Explorer marks downloaded files with an alternate data stream that indicates from which security zone the file originated.  You can find files with these streams with the sysinternals streams tool.  When explorer launches a program with the magic alternate data stream, it displays the warning.  

File locking would probably prevent the program from removing the stream once it has been launched for the first time, but you could duplicate the exe and remove the ADS from there.

# Matt said on 09 May, 2008 09:12 AM

Interesting, do download managers apply the same ADS, does Firefox, Opera, Safari?

I'd never thought about quite how this worked.

# jesper said on 09 May, 2008 09:56 AM

Matt, as far as I know, there are no other programs that apply that ADS. Firefox certainly does not. I believe it is an Internet Explorer only feature.

Leave a Comment

(required) 
(required) 
(optional)
(required)