Category Archives: Microsoft

The great digital certificate ripoff?

digital certificateRipoff: A ripoff (or rip-off) is a bad deal. Usually it refers to an incident in which a person pays too much for something. A ripoff is distinguished from a scam in that a scam involves wrongdoing such as fraud. From Wikipedia.

Digitally signing your software allows you to show that you are the author of the software and that the application hasn’t been tampered with. If your software isn’t signed, Windows displays scary looking warnings when customers download it. So it makes a lot of sense to digitally sign your software if you are distributing it on Windows. So far so good.

Anyone can create their own digital signature, but Windows only ‘trusts’ signatures that have been created by certain third parties. While there are quite a few Microsoft root certificate program members, I am only aware of 3 that sell code signing (‘authenticode’) certificates. This is where it starts to get ugly. Here are their published prices per year:

Verisign: $499.00

Thawte: $299.00

Comodo: $119.95

That seems an awful lot considering that all they appear to do is check a document (e.g. a scan of your certificate of incorporation), check your whois record, multiply a couple of large prime numbers and then send you a certificate file. Much of this process is (or should be) automated. No wonder the founder of Thawte could afford to be one of the first space tourists.

Given that authenticode certificates from these three companies are functionally identical[1], as far as I can tell, why the price difference? It seems even more bizarre when you consider that Verisign now own Thawte. If you had the misfortune to sign up for the Microsoft ‘works with Vista’ program you could get a 1-year Verisign code signing certificate for $99. I doubt they were doing this at a loss, so how can they justify selling the exact same certificate for $499? I would guess that at least 99% of customers will never check who issued a certificate, so it can hardly be due to the power of the brand.

So why doesn’t someone just set up their own certificating authority, get approved by Microsoft, and undercut these 3 companies? Because their root certificate wouldn’t be installed on all the millions of PCs currently out there. It would be worthless until the vast majority of PCs had the new root certificate. What a fantastic lock-in!

The good news is that you can buy Comodo certificates for much more reasonable prices from these resellers:

Tucows: $75 [2]

KSoftware: $85 ($75 for ASP members)

Which rather begs the question – if resellers can make a profit at $75, why are Comodo charging $119? Because they can, I suppose. I emailed Verisign, Thawte and Comodo to ask about the disparities in price. I only received a reply from Comodo:

This [difference between their price and the reseller price] is simply due to Retail Vs Wholesale solutions we offer. Our Resellers commit to a specific program which enables discounted prices allowing them to make margins on the product as they see fit. Whether that be reduced prices, or make a cash profit from the sale.

All 3 companies have had major price hikes in the last few years. With so little competition, why wouldn’t they? So what is Microsoft’s role is in all of this? One would have thought that they would want to keep certificate prices low to encourage their wider adoption. I emailed Microsoft’s PR people to ask about pricing and whether they had any financial interest in Verisign. Here is the response:

1) Why does Microsoft “insist” on VeriSign certificates?

Microsoft Windows Quality Labs only recognizes files that are signed with a Verisign Class 3 Certificate of Authority (COA). Windows Quality Labs is evaluating recognizing other COA’s. There is a USD $399 offer for Class 3 COAs for those partners (IHVs, OEMS, ISVs) – who plan to submit solutions for Microsoft certification. More details are available at http://www.verisign.com/code-signing/msft-organizational-certificates/.

2) Does Microsoft have any comment to make on the disparity in price?

VeriSign also offers a USD $99 Organizational ID certificate. This provides authentication for organizations to Microsoft Windows Quality Labs, providing access to various services, such as creating submission IDs for products to undergo Microsoft testing. This certificate is not valid for signing drivers or executable files.

Information pertaining to Microsoft Investments can be located at the MSFT Investor Relations site, under Investments/Acquisitions: http://www.microsoft.com/msft/default.mspx.

Steve Bell, Senior Product Manager – Server Certification Programs, Windows Server

After a bit of surfing I found this page which says that Microsoft invested in Verisign in 1996. I don’t know how much they invested, but it certainly puts things in a rather different light. So Windows authenticode certificates are effectively controlled by just 2 companies, at least one of whom is part-owned by Microsoft[3]. Companies are in business to make profits, but it seems to me that these companies are using their effective monopoly to take advantage of the situation. I only see the situation getting worse as Windows displays ever more scary warnings for unsigned software. Perhaps this is something government regulators should be investigating. Let’s hope that Verisign don’t buy Comodo as well.

[1] Only Verisign certificates are recognised for some of the Microsoft certification programs, for example x64 Vista driver signing.

[2] You need to register with Tucows to login.

[3] Assuming they haven’t sold their Verisign stock. I am not aware that Microsoft owns any Comodo stock. I haven’t been able to find any further details by Googling.

Windows Vista service pack 1

vista.gifMicrosoft have announced that service pack 1 for Windows Vista has been released to manufacturing. Microsoft claim “great progress in performance, reliability and compatibility”. SP1 will be rolled out through Windows update from mid-March.

My own stats show that Vista has been slowly increasing market share at 1% per month. At this rate it will take it another 5 years to reach the 75% share currently held by XP. But perhaps a lot of people have been wisely waiting for SP1 before committing?

I have been using Vista on my main development machine for the last few months. It is OK once you turn the deeply annoying UAC off. But it is still hard to see any compelling reason to upgrade from XP.

Microsoft AdCenter vs Google AdWords

microsoft adcenter.gifI have been using Google Adwords since I launched PerfectTablePlan over 2 years ago. I started using Yahoo Overture (as it was then called) at about the same time, but gave up on it due to the lousy user interface and the poor return on investment. Always on the lookout for new ways to promote my product I recently decided to investigate the new-kid-on-the-block: Microsoft AdCenter.

My first impression is that Microsoft have copied Google Adwords. Badly. All the standard Adwords stuff is there: campaigns, adgroups, exact/phrase/broad match, negative keywords etc, they haven’t even bothered to change the terminology in most cases, but it feels clunky compared to Adwords. Wherever they have made a departure from the Adwords model it appears to be a change for the worse.

  • Negative keywords appear to be associated with phrases, not adgroups or campaigns. I might have 100 negative keywords and I don’t want to record them separately for every phrase!
  • You have to choose a single language for a campaign and you can’t change it. English-UK and English-US are counted as separate languages, so I have set up a UK+English-UK language campaign and a USA+English-US language campaign. Presumably people in the UK with their computer set to English-US won’t see my ads at all, but I can’t be bothered to set up another whole campaign just for them.
  • It confusingly mixes together campaign and adgroup properties in the interface.
  • The user interface is quite monochrome and poorly laid out compared to Adwords.
  • Everything has to be approved before it goes live. It took over 12 hours in my case (with Adwords it would be live in minutes).
  • It is set up so that you can’t store the password in the browser (in FireFox anyway) and times out quickly. Continually re-typing the password gets old quickly.
  • I tried opening AdCenter in 2 browsers so I could compare campaigns. It didn’t handle this well.
  • The minimum bid is £0.05. This automatically makes a whole swathe of keywords uneconomic for me.

But it gets worse. They rejected some of my phrases due to ‘Landing page content not relevant‘. One of the phrases was “seating plan” with a landing page The easiest way to create seating plans. How much more relevant can I make it? This sort of arbitrary interference was one of the things that made Overture so frustrating.

The number of impressions are much lower than Google, but there are also fewer advertisers, so my ads rank higher. Overall AdCenter clicks are currently running at about 10% of what I get through AdWords[1]. It is too early to say how conversion rates compare. But if the profit is only 10% of what I get through Adwords it might not be worth the effort to maintain.

It would be great to have a real contender to Adwords to keep Google on their toes. I’m not a Microsoft-hater and I really wanted to like AdCenter, but my first experiences are not favourable. To be fair, it is early days for AdCenter and I am still learning the ropes. I’ll let it run for a while before I make any decision about pulling the plug.

Microsoft have a reputation for bringing out a lousy version 1.0 and then continually improving it until it crushes all opposition, so it would be unwise to write them off this early in the game. But I think they have got a long way to go before they catch up with where Adwords is now.

[1] I have a lot less phrases in AdCentre than Adwords, but I do have all the most important phrases.