General Product Information
4.0 Home
Features
Internet Explorer
Outlook Express
NetMeeting
Media Player
FrontPage Express
Active Channels
Active Desktop
Administration Kit
Demos
Special Offers
Support
Sitemap

Press
Partners
Home Users
Business
Internet Explorer
Overview
Dynamic HTML
Java
DirectX
Security
Private Transactions
Smarter Browsing
Explorer Bars
Easy Connecting
Authenticode lets you know for sure before you download software
Software on the Internet isn't labeled and shrink-wrapped like the applications you find in retail stores, so it's not so obvious who published a piece of software or whether it's been tampered with. Microsoft provides the verification you need with Authenticode technology. It serves as a "virtual shrink-wrap" so you can be sure who created a piece of software you find on the Web before you decide whether to download it.

In addition to identifying who published the software, Authenticode verifies that the code hasn't been tampered with since the publisher signed it. Based on whether you're familiar with and have trust in a particular publisher, you can decide whether or not to install and run the software, which can include Java applets, ActiveX™ Controls, and plug-ins.

How does it work?
Microsoft provides Authenticode in conjunction with VeriSign, and other certificate authorities that issue the digital identification that software publishers use to sign their code. If a piece of software has been digitally signed, Internet Explorer 4.0 can verify that the software originated from the named software publisher and has not been tampered with. In that case, Internet Explorer will display a verification certificate.

If the code has been tampered with since it was published, the user will receive a warning. If the software hasn't been digitally signed, Internet Explorer 4.0 will ask whether the user wants to download unsigned software. For information on obtaining your own personal certificate, see Certificates.

Authenticode 2.0, which Microsoft recently released, adds to the value Authenticode brings to Internet security. One major benefit is through Authenticode's new timestamping feature, which establishes that a piece of software was properly signed during the valid lifetime of a publisher's certificate. (The reason certificates have a limited lifetime is to prevent giving counterfeiters enough time to eventually crack the code associated with the certificate.) With Authenticode 2.0, Web publishers timestamp their signatures so the user's browser can verify that the software was signed while the publisher's certificate was active. The result: an unlimited lifetime for properly signed software, which is good news for both Web publishers and end users.

With Internet Explorer 4.0, Authenticode 2.0 delivers another new feature to protect people surfing the Web. Before downloading any potentially hazardous code, Internet Explorer 4.0 can automatically check to make sure a publisher's certificate has not been revoked. Publishers can have their certificate revoked if they abuse their code-signing agreement by, for example, creating malicious code that harms users' computers.

People who develop software for the Web can find tools for signing their code through the ActiveX Software Development Kit.



Back to the topBack to the top

© 1997 Microsoft Corporation. All rights reserved. Terms of Use.
Last updated: Tuesday, September 30, 1997
Photo Credits: PhotoDisc