What every software vendor needs to know about SHA1/SHA2 and digital certificates

TL;DR : If you digitally sign your software you need to make sure you have an SHA2 certificate and use it to dual sign your software with both SHA1 and SHA2 digests.

Digital certificates are used to prove who authored a piece of software and that it hasn’t subsequently been tampered with. Starting with Windows XP SP2 you get a warning message if you download software that that isn’t signed with an appropriate digital certificate. So most commercial software vendors digitally sign their software. We grumble about price gouging by the certificate vendors and the hoops we have to jump through to get a certificate. But, apart from that, the system seems to work tolerably well. However Microsoft have thrown a spanner into the works by deprecating digital certificates using the SHA1 algorithm. I only found out about this a few weeks ago from a fellow vendor’s blog. Thanks for nothing Microsoft. If you are using a digital certificate you purchased more than a year ago, it is probably SHA1. This post explains what this means for software vendors, based on my research so far. I am not an expert on this topic and things seem to be changing fast, so please let me know if there are any mistakes or omissions.

I don’t digitally sign Windows software, does this affect me?

No. But perhaps treat Windows unsigned software warning with some skepticism until Windows software vendors sort this mess out. If you only develop for Mac OS X you can feel a bit smug (at least until the next time Apple nukes your development ecosystem from orbit).

What is SHA1?

SHA1 (Secure Hash Algorithm 1) is a cryptographic hash function that was used in digital certificates issued until recently. SHA1 was known to have weaknesses as far back as 2005. Microsoft (and Google) have finally decided that SHA1 is too vulnerable and SHA2 digital certificates should be used instead.

What happens if my certificate is SHA1?

If you signed your software with a timestamp before 01-Jan-2016:

  • It will be treated by Windows XP SP2/XP SP3/Vista as signed.
  • It will be treated by Windows 7/8/10 as signed only until 01-Jan-2017.

If you signed your software with a timestamp on or after 01-Jan-2016:

  • It will be treated by Windows XP SP2/XP SP3/Vista as signed.
  • On Windows 7/8/10 and you will get an ugly “The signature of <file> is corrupt or invalid” or “The signature of this program is corrupt or invalid” error when downloading. If you don’t see this, it might be because you haven’t done a Windows Update recently (shame on you).

Windows seems to treat software that has been downloaded from the web (with ‘mark of the web’) differently. So make sure you test a version of your software you have downloaded from the web. I carried out some tests on 01-Mar-2016 using an SHA1 certificate to sign an executable and then dowload it. It worked ok when downloaded using Firefox or Chrome, but was shown as corrupt when downloaded using IE.

How do I know if my current certificate is SHA1?

  1. Right click on your most recently signed installer and select Properties.
  2. Click on the Digital Signatures tab.
  3. Select the signature and click on the Details button.
  4. Click the View Certificate button.
  5. Click the Details tab.
  6. Look at the Signature hash algorithm.sha1 digital certificate

What should I do if my certificate is SHA1?

If you certificate hasn’t expired you should ask the company you purchased it from to issue you a new SHA2 certificate. They should do this free of charge. In the process they will revoke your SHA1 certificate, so you can no longer use it for signing. You should then use your new SHA2 certificate to double sign new releases (see below).

I have an SHA2 certificate, now what?

If you want a new release to be treated as signed on both Windows XP SP3/Vista and Windows 7/8/10 then you need to double sign the file for SHA1 and SHA2:

signtool.exe sign /f <pfx file> /p <pfx password> /t <sha1 timestamp server> /v <installer>

signtool.exe sign /f <pfx file> /p <pfx password> /tr <sha2 timestamp server> /fd sha256 /td sha256 /as /v <installer>

Note the the order of the above is important (SHA1 first).

The Comodo SHA1 and SHA2 timestamp server is:
http://timestamp.comodoca.com

You can add a /debug flag for verbose output.

If you only want to support Windows 7/8/10, then you can omit the first line (but why would you?).

You can use chktrust.exe to check the signature:

chktrust.exe <installer>

Note that only version 6.3 and later of signtool.exe (which comes with Windows 8.1 SDK and is also available here) supports the /as flag.

I always sign the program, as well as the installer.

Can I double sign .msi files?

I have seen reports that .msi installers don’t support double signing. But I don’t use .msi installers, so I haven’t investigated further.

What happens to software I signed with my SHA1 certificate after the certificate is revoked?

Software you signed previously will not be affected, e.g. it will be treated as signed by Windows 7/8/10 until 01-Jan-2017

How do I sign Windows XP SP1/XP SP2 software?

Windows XP SP1 doesn’t warn you if there is no signature, so you can ignore XP SP1. SHA2 signatures are not supported in Windows XP SP2. So you will need to have both valid SHA1 and SHA2 certificates to support XP SP2 and all the later versions of Windows. Its not clear that certificate vendors will allow this. Also, how many people with Windows XP SP2 (an unsupported OS) are out there buying software? I won’t be bothering to support signing for XP SP2.

Does this affect SSL certificates as well as code signing (Authenticode) certificates?

I believe so. But I don’t have any SSL certificates, so I haven’t investigated further.

How does this affect signing of device drivers?

I understand there are some differences for device drivers. But I don’t create device drivers, so I haven’t investigated further.

What is the difference between SHA2 and SHA256?

SHA2 is a family of two similar hash functions known as SHA256 and SHA512. SHA256 uses 32-bit words where SHA512 uses 64-bit words.

How secure is SHA2?

Er, it was designed by the NSA. Supply your own joke.

I don’t have a digital certificate, where can I get one?

I got my Comodo code signing certificate from reseller ksoftware.net. They have a good reputation, and are significantly cheaper than Comodo. I don’t have any business relationship with them beyond being a happy customer.

Update: See renewing my authenticode digital certificate .

Anything else I should know?

Microsoft has reserved the right to move the SHA1 deprecation date forward from 01-Jan-2017.

Acknowledgements

Thanks to Nikos Bozinis for first alerting me to this issue and to Mitchell Vincent of ksoftware.net for fact checking this article.

Further reading

http://zabkat.com/blog/code-signing-sha1-armageddon.htm

http://support.ksoftware.net/support/solutions/articles/215805-the-truth-about-sha1-sha256-and-code-signing-certificates-

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

Updates

02-Mar-2016: Added missing link and minor update.

03-Mar-2016: Minor update.

25-Feb-2023: Added link to https://successfulsoftware.net/2023/02/25/renewing-my-authenticode-digital-certificate/.

Software products are *not* passive income

Some people dream of creating a ‘passive’ income that generates money on auto-pilot while they go and learn tango in Argentina, or whatever their chosen path to the top of Maslow’s hierarchy is. In my experience, a software product is a long way from being a passive income. I know lots of people who own software product businesses. I don’t think any of them regard it as a passive income either.

While on holiday I’ve run my own business from a laptop in less than an hour per day. But the business would start to suffer if I did this for more than a few months. Even if you are not adding new features, software products require significant effort to maintain. Sales queries need answering, customers need support and bugs need fixing. New operating systems will often break things in otherwise stable products (particularly on Mac OS X). And there is always admin stuff to do: tax, accounts and a hundred other things. Marketing also requires ongoing effort, whether it be in the form of A/B testing, newsletters, SEO, PPC or blogging. If you aren’t continually improving your product and marketing, then harder working competitors are soon going to start eating your lunch. You can hire people to do the work for you. But then you have to train and manage those people. And the most capable people have a habit of going off to start their own companies.

There may be some products that can generate passive incomes. Perhaps ebooks, training videos and mobile apps. But I expect they still need significant amounts of ongoing marketing effort if they are going to earn more than pocket money. Remember – if it sounds too good to be true, it probably is…

How to build a gym in your garden

Human physiology has evolved for a challenging existence on the African savannah. It doesn’t cope well with sitting in front of a computer all day, with high energy foods constantly within easy reach. But going to the gym is a hassle: get your gear together, drive to the gym, get changed, do your workout, have a shower, get changed back, drive home. Even just going for a run means 2 changes of clothes and a shower. I wanted something high intensity that I could do in a few minutes every day. I work from home, so I built a gym in my garden, right outside my office. I posted some pictures of it on social media and a few people asked for details of how I made it. So I thought I would write it up here, in case anyone else was interested.

Construction materials:

  • 3.0m x 0.1m x 0.1m fence posts (2 of)
  • 1.8m x 0.1m x 0.1m fence posts (3 of)
  • 1.2m outdoor pull-up bars with fixings (coach bolts and washers) (3 of)
  • 20kg bags of Postcrete (19 of)
  • 20kg bags of gravel (2 of)

The total cost of all the above was about £240, including delivery of the fence posts and pull-up bars.

You should be able to get the fence posts from any fencing supplier. Make sure they are pressure treated, so they don’t rot away in a few years. Anything narrower than 0.1m x 0.1m might not be strong enough. Anything bigger is going to be pretty unwieldy to work with.

You can buy outdoor pull-up bars from various sources. I got mine here. Make sure the bars and their fixings are either galvanized or powder coated, so they don’t rust. I choose bars long enough that I have the option to do wide-grip pull-ups.

Postcrete is a special form of concrete for fence posts (I think it might be called Quickcrete is some countries). You just add water and it sets solid in minutes. Leave it to ‘cure’ for 24 hours before putting any weight on it. I used 5 bags of Postcrete for each of the 3.0m pull-up posts and 3 bags of Postcrete for each of the 1.8m dips posts. You could probably get away with less, but I preferred to ‘over-engineer’ it. I also threw some old bricks and hardcore into the holes for extra bulk. You can  use standard cement, which is cheaper, but not as convenient.

scan013.jpg

You need to dig your post holes according to the height and spacing you want for the bars, which will depend on your height. The pull-up bar should be roughly the same height as your knuckles with your arms full outstretched above your head. The dips bars should be slightly more than shoulder width apart and level with your lower ribs. If you are very tall, you might need longer posts than I did. The holes should be approximately 3 times the width of the fence posts. Put approximately 0.1m of gravel in the bottom of each hole for drainage. The gravel also helps with getting the posts at the same level.

Digging a 1.0m deep by 0.1m x 0.1m across hole is difficult using a spade. I recommend you use a post hole digging tool. I bought one from building supplier Wickes for £25. The bolts were a bit loose, but once I had tightened them up it was fine. You can also rent them, but 3 days rental was as expensive as buying one new.post hole digging toolDigging the holes is hard work! I did 30 minutes of digging every now and then. Usually when I got fed up with whatever I was working on. Tip: Cover the loose dirt from the hole with something waterproof as it is much harder to move later if it gets wet.

Attaching the bars before you set the posts isn’t practical. Setting all the posts before attaching any bars is asking for trouble. So we alternated setting the posts and attaching the bars.

Setting the posts and attaching the bars is definitely not a one-person job, so I conscripted the family to help. We used rubber bands to hold 2 spirit levels onto 2 adjacent sides of a post, to make sure it was completely vertical (you can also buy specialist post levellers). One person then held the post while the other one added the Postcrete and water. To attach the bars just drill 4 pilot holes into a post and then use a socket and ratchet to tighten the coach bolts onto the washers.

iPhone 040.jpg

I also bought a heavy duty rubber mat and post caps to finish things off.

Normally I only create digital things (software, websites, documentation, blog posts etc) so it was really nice to make something physical for a change. Given my modest DIY skills, I am very pleased with how it turned out. It feels very solid and everything is pretty straight and level. Not bad for a software engineer!

Pull-ups, dips and leg raises cover a lot of the major muscle groups between them. Currently I am trying to do pull-ups and dips on alternate days. I usually do 3 sets of as many as I can, with at least a few minutes rest in between. I also do some negative reps. A negative pull-up is where you jump up and then lower yourself as slooooooowly as you can. This sort of eccentric training is very good for building strength (and also useful if you aren’t yet strong enough to do a pull-up). Just hanging from the bar is good for stretching your back muscles.

Because my gym is right outside my office and only takes a minute or so per set, there is no excuse. I also have a reminder set up in the Balanced app on my iPhone. In a few weeks I have gone from 3 pull-ups to 8 pull-ups (with good form). Once I have improved my strength futher and reached a plateau on those exercises, I may try some more exotic exercises. I hope eventually to be able to do a ‘muscle up’!

Muscle-up

Confessions of a bad software entrepreneur

If you read blogs and forums and go to conferences you will soon pick up that there are a number of recommended ‘best practices’ for being a successful software entrepreneur. I don’t conform to many of them:

SaaS product

No. Both my products are desktop based.

B2B market

Not really. Most of my customers are consumers.

Funded

No. I bootstrapped the business from my own savings.

Subscription model

No. My licences are a one-time fee.

Beautifully designed responsive website

No! www.perfecttableplan.com converts well, but it is certainly not beautiful or responsive (a new website is on the way though).

Co-founder

No. Just me.

Delegation

No. I have delegated bookkeeping to my lovely and talented wife (who also proof reads this blog) but I don’t have any employees or virtual assistant and do the vast majority of things myself, including all the marketing, sales, programming, documentation and customer support.

Drip email campaign

No. One day perhaps.

Focus

Not really. I like variety. I have 2 products under active development and also do some consulting and training.

Social media campaign

No. I have long since given up on Twitter and Facebook as marketing channels.

Mastermind group

No. I do talk with my peers in forums, at meetups and conferences, but not in any structured way.

Started young

No. I was pushing 40 when I started my entrepreneurial career.

Endless growth

No. I can’t really grow the business much more without taking on staff or becoming a workaholic. But I am happy just to maintain the current level of sales. [1]

Exit plan

No. I haven’t given it any real thought. I am quite happy doing what I’m doing.

But…

My one-man software business has made me a nice living doing a job I enjoy for more than 10 years. So I guess I must be doing something right. There is no ‘one true way’ to be an entrepreneur. If you have a good product with good support and good marketing, most other things are optional.

[1] Added after suggestion by Tom Reader.

South West Bootstrappers meetup No. 3

The next meetup is on the evening of Tuesday, October 20, 2015 in Swindon. You can find out more and RSVP at meetup.com/South-West-Bootstrappers/. Hope to see you there!

Rocket Science

My son, my wife and I have been messing around with model rockets. They seem to be a big thing in the USA, but are a lot less common here in the UK. They are a lot of fun.

I bought the above rocket + launch pad + launch controller kit from a local model shop, with some recovery wadding and 3 class C rocket motors with igniters:

rocket kit amazon.co.uk link

rocket kit amazon.com link

The total cost was £30.

Making the rocket involved a bit of glueing and assembly, but was fairly straightforward. Then we inserted some wadding (to protect the internals from the hot gas of the rocket motor), the recovery parachute and the nose cone with rotors. When it was finished we took it to a big open space, inserted a rocket motor and igniter, put it on the launch pad and used the 9v battery operated remote control to launch it.

We had a few non-launches because the crocodile clips (connecting the launch control to the igniter) touched, causing a short-circuit, or fell off. Not a great design. Once we had sorted that out we successfully launched and the rocket went well over 100 metres in the air. Cool!

In theory the motor should burn for a couple of seconds and then a little explosive charge fires to separate the nose cone from the main body. The main body then floats down on the parachute while the nose cone deploys spring-loaded rotors and auto-rotates down. In theory.  However, in our inexperience, we put in too much wadding and packed it too tightly. Consequently the rocket blew itself apart in mid-air and the parachute and rotors didn’t deploy. We managed to recover all the bits. The parachute was ok, but the rotor blades were too damaged to use again.

A video of our first launch

So we cut off the damaged section and added the nose cone back on to make a new, shorter rocket and did 2 more launches. Being lighter with the same motor it went a lot higher. Possibly over 200 metres!

We made a new rocket from the nose cone and tail of the kit, plus a long cardboard tube and lots of duct tape. We did another 3 launches using C class rocket motors. Even managing to get one successful parachute deployment. However as the new rocket was  heavier it got noticeablely less height, probably less than 100 metres.

A few things we learnt along the way:

  • Don’t force the parachute and nose cone in too hard or use too much wadding.
  • If the parachute doesn’t deploy the rocket can survive hitting the ground at speed surprisingly well. But they make quite a hole in the ground, so you REALLY don’t want to get in the way.
  • Even in light wind the rockets can land a fair distance away. Especially if the parachute deploys successfully. So pick a still day for the launch. You can also cut some extra vents in the parachute to make it fall faster.
  • You need a BIG open space, free from other people, animals and trees. Preferably at least 200 metres across, if you want to stand a good chance of recovering your rocket for another launch.
  • The maximum height of your rocket depends critically on the thrust to weight ratio.

Hopefully it goes without saying that pyrotechnics and objects travelling at high speed are potentially dangerous and require common sense and adult supervision.

Being a software geek with a physics background I couldn’t resist doing a few calculations. Here is a little Python script I wrote to calculate the maximum height and flight time based on the mass of the rocket and the thrust and duration of the motor. It applies a simple time-step approach to F=ma. Just modify the mass, thrust and duration variables.

rocket science codeIt assumes the rocket goes straight up and doesn’t allow for air resistance. But the values it calculates seem fairly plausible based on my observations. You can get the code via this link:

Python rocket calculation code

For example with a thrust of 6N for 1.6s I calculate a maximum height of:

Mass (Kg) Max height (Metres)
0.1 388
0.15 156
0.2 78
0.25 43

So you can see how critically important thrust to weight ratio is to maximum height.

Presumably it is possible to derive an analytic solution as well. I leave that as an exercise for the interested reader. ;0)

I think we will try a D-class motor next time (each step up the alphabet doubles the impulse). This seems to be the biggest that you can get hold of in the UK without a license. Watch out passing aircraft.

To infinity and beyond!

** Update 23-Apr-2023 **

One thing led to another and we are now launching rockets with F motors to over 1000 feet and taking part in UK national rocketry competition (placed 9th last year). My son is considering doing a degree in aerospace and astronautic engineering.

Correction: The biggest motor you can buy in the UK without certification is a G.

Technical Debt

Software products tend to build up ‘technical debt’ over time. Every bad decision, kludge and shortcut made to ‘just get it working’ makes the product more brittle and harder to change in the long run. Technical debt is very hard to avoid unless you know exactly what direction your product will take in the future (unlikely) and you can guarantee that the platform and libraries you build it on won’t change (even less likely). Like real debt, the longer you leave it, the worse it gets. Every so often you need to repay the debt if you want to keep your product healthy. Otherwise it will gradually degenerate into a Big Ball Of Mud.

My seating plan software has been developed continually for over 10 years now. I have done regular refactoring over that time to keep technical debt to a manageable level. For example, early versions of PerfectTablePlan were a bit lax about how memory was managed in the genetic algorithm. This shortcut wasn’t a big deal when the genetic algorithm was solving seat assignments for a few hundred people. But it became a performance issue when it was solving seat assignments for thousands of people. So I had to do a significant rewrite of the genetic algorithm. For PerfectTablePlan v6 I am going to have to rewrite all the remaining code that uses Qt3 classes, so that I can switch the codebase fully to Qt5. Oh joy! Thank goodness for the strong typing in C++. If I can keep the technical debt in check, perhaps people will still be buying PerfectTablePlan in another 10 years.

Technical debt is an inevitable consequence of the fact that software products are a ‘work in progress’ (including the software you are building on top of). The fact that software is never really ‘done’ can be frustrating, but it has its upsides. I was recently in the French mediaeval city of Laon, looking at their beautiful cathedral. I noticed that there were four and a half windows at one end of the transept. Four and a half? On further inspection it was clear that the builders had changed their mind part way through the build and then tried to cover up their mistake. It is still visible some 700 years later. At least we get the opportunity to correct our mistakes and our customers usually never know…

technical debt

South West Bootstrappers meetup No. 2

I am organizing a regular meetup in Swindon (UK) for people who are running (or are interested in running) their own bootstrapped (i.e. not VC funded) software product business for web, Windows, Mac or mobile. Come along and talk shop with other aspiring and experienced bootstrappers.

The next meetup is on the evening of Tuesday 25th August 2015. So far there are 14 of us signed up. You can find out more and RSVP at meetup.com/South-West-Bootstrappers/.South West Bootstrappers Meetup

A Few Good Links – Why you need them and how to get them

link buildingIn this guest post Christoph Engelhardt talks about why link building is an important part of online marketing and the most effective ways to do it.

When you are promoting your product online, there is a myriad of different ways to do it: Display Ads, Google Adwords, Facebook Ads, Social Media, Email Marketing, Online PR, and SEO – to just name a few.

Deciding on the right method for your business can be tricky. They are all so different. Some of those methods can be turned on and off like a faucet; others are more like a flywheel that need a lot of pushing to get going, but will keep delivering results after you’ve stopped.

Hopefully you’re in it for the long haul, so I’m going to talk about a strategy that is more of a flywheel: link building. Building links on the internet is a long-term strategy that factors into multiple traction channels.

Inside this article you will learn:

  • How to supercharge your PR, SEO, and Content Marketing with outreach marketing.
  • How you can get more links to your website without angering the Google gods.
  • At least 3 different ways to find high-quality outreach and link building opportunities.
  • The secret to drafting the perfect outreach email.

I’ve been in online business for more than a decade now. I’ve been struggling with moonlighting multiple products to profitability, online marketing and SEO long enough to call myself “somewhat of an expert” on those topics. ;-)

I want to share with you what I have learned in those years to help you avoid making the same mistakes I made.

Let’s get started.

SEO and link building in particular are often seen as scammy online marketing tactics and I won’t deny that there is some merit to that argument. SEO for the first 10 years has been a lot like the Wild West – minus the random killings. There was no one to effectively enforce the “law of the land” and spammers thrived.

Yes, you could cheat your way to the top of Google’s search results in the past. BUT, it is getting harder and harder with every passing day. Getting to #1 on Google today means you have to “dot the i’s and cross the t’s” in technical SEO (more on what this is later) and get some buzz going for your product – i.e. build some links.

“Link building” as a term is loathed by white-hat SEOs, as it implies spamming comment sections on random blogs and free web directories. They would much rather talk about “earning links” through “Content Marketing” and “Social Amplification”. That’s fine by me, but make no mistake: Having a rich and diverse link profile for your website is still THE major ranking factor for Google’s search results.

Spreading your links around the world wide web isn’t a problem per se. Links are what make the world wide web a WEB in the first place. But the way you do it makes all the difference: If you’re leaving useless comments on unrelated blogs, you’ll do more harm than good. If you get your product reviewed (without paying for it) on a major website where your target audience hangs out, the value gained can hardly be put into words.

Fundamentally, whenever you do any sort of online marketing you are building links. Sharing your content on social media? You’re sharing a link back to your content, because you want people to click that link. Buying Adwords? You’re buying links right on Google’s website. Sharing your news release in a PR campaign? You’re spreading your links.

This means that, if you have a website, you’ve probably started building links without thinking too much about it. All you need to do is be more intentional and active in your efforts.

Why you should include outreach marketing in your marketing mix

Building links helps you in two distinct ways: a) you’re getting referral traffic directly via the links you get, b) the links you get improve your rankings in the search engines, bringing you additional organic SEO traffic.

In the long term, the SEO benefits will often have a greater effect on your traffic than the referral traffic you receive through the links. This is because a great link profile will lift your website to the top of Google across 100’s or 1000’s of keywords (all other things being equal)! That is why link building is related to SEO in most people’s minds. Traditionally it was done almost exclusively to get that sweet #1 spot on Google.

However, you should not neglect the sheer amount of traffic you can get from a well-placed link. Depending on where you get that link from (and we will talk about this in a minute) a single link can send you 1000’s of visitors.

In fact, I advise everyone to completely neglect the SEO benefits when they think about where to get a link from. When you try to get a link from another website, here are the questions you should ask yourself:

  • Is this a trusted website in your niche?
  • Does that website have a big enough audience to send you meaningful traffic?
  • Is that website’s audience interested in your product at all?

You don’t want to get a link from a website outside your niche – especially not from a 3P-website (porn, poker, pay-day loans), no matter how good their SEO metrics are. Similarly, getting a link from Joan Doe’s blog that has two readers (her mom and her dog). Finally, you shouldn’t chase after getting featured on TechCrunch, even if they are a big ass website and you’re doing something in tech, because their readers are most likely not interested in what you have to offer. They are killing their time with their butts firmly planted in an office chair and are not looking to buy stuff.

See how I don’t even mention SEO in there? Focus on getting your links in front of your target audience. If you focus your outreach marketing on having a direct ROI from the referral traffic you get, you will be taking good care of the SEO-side of things automatically.

Calculating the ROI of outreach marketing

I hope that I have convinced you by now that outreach marketing is not a scam and you can do it without causing harm to your website or your brand (assuming you do it right).

But before you rush off to get your outreach marketing going, we need to talk ROI. You’d be ill-advised jumping into anything without at least computing the possible ROI before you do it. After all, you might have other (more valuable) options to spend what limited time you have.

First you need to know how much you’re going to invest into getting one link. Say you’re investing two hours to write a guest post and an additional half-hour for outreach and administrative work related to getting that link and you value your time at $50 per hour. This means you’re investing (roughly) $125 into getting this single link.

This number obviously depends on the website we’re talking about: Some websites like directories or profile pages won’t take you more than 10 minutes to get a link from (and links from them are worth less to you), while getting featured on a popular website in your niche might costs you an arm and a leg (but it might be worth it).

Now we know the costs, but how do we calculate (well… guesstimate) the value of one link?

There are two ways you can do so, let’s explore them – assuming we want to get a link from this blog: www.successfulsoftware.net .

  1. Go to www.opensiteexplorer.org
  2. Enter the URL of the website you’re trying to get a link from into the box (i.e. www.successfulsoftware.net) and hit RETURN.
  3. Search for the “Domain Authority” value (45).
  4. Multiply that value by $2.5 (Read my full research here).

03_checking-da-with-opensiteexplorer

03a_highlighted-domain-authority-in-opensiteexplorer

This gives you a rough guesstimate of the dollar value of any link on the web – in the case of Andy’s website that’s roughly $110. It’s a great rule of thumb for small and medium sized websites. The problem with this method is, that Domain Authority is capped at 100 – so no link can be worth more than $250 with this method. But clearly, getting featured on the White house website or Google’s blog will have a slightly (!) higher value than that.

The second approach is more complicated, but it takes into account the specifics of your business. We are going to work our way backwards from the sale for this one.

  1. We need your customer lifetime value (LTV – say $200) and your conversion rate from visitor to sale (CR – say 1%)
  2. Multiplying LTV * CR we get the average value per visitor (VPV – that’s 0.01 * $200 = $2) for your business
  3. Dividing the cost for the link by the value per visitor (cost / VPV) we get: $125 / $2 = 62.5

This tells you, that you need to get at least 63 visitors from the link to break even on your time investment. That isn’t too big a number and it can be even lower, if you have a higher LTV or when you get the link in front of just the right audience (which will increase the conversion rate for that cohort).

The only question that remains – and that I sadly can’t answer for you – is this: Will you get 63 people to click on that link on that website? If you can answer this question with a “Yes”, I think you should chase that link down.

Lastly, remember that we don’t take SEO into account here at all. It is hard to measure the effect of a single link, so consider it gravy on top.

The Good, The Bad, The Ugly – which links you want and which you want to avoid

Now that we’ve covered the fundamentals, it is time to talk a bit more in-depth about where to get links from and which websites you should definitely avoid.

As mentioned before, you don’t want to get any links from websites in dubious niches like poker, porn and payday loans. These are not good company for a respectable website. You also don’t want to have too many incoming links from the 1000’s of free web directories (startup directories anyone?) out there as it may harm your standing with the SEO gods. Having a few (high-quality, say ProductHunt) directories link to you isn’t a problem, but having 100’s or 1000’s certainly is.

The same goes for comment spamming random blogs around the internet, creating dozens of free blogs on WordPress.com or Tumblr, and poorly written, mass-produced guest posts all across the web. Just don’t. That’s not to say that blog comments or guest posts don’t have value. You just need to do it right. If it can be automated (or outsourced for $0.50/hour to developing countries), you’re doing it wrong. The rule of thumb is to get links that take significant work to acquire. This will keep you in good standing with the SEO gods.

The way to go about link building/link earning/outreach marketing today is to find suitable websites, find a contact there, develop a relationship and eventually you will get a link from it. Case in point: Andy and I go back well over a year. We’ve been to conferences, chatted a lot, he gave me advice on discuss.bootstrapped.fm, we even had lunch together when I visited his home town. NB: I wasn’t after getting a link from Andy – in this case it just happened – but building a relationship always comes before building a link. [Editor’s note: I approached Christoph to write an article for this blog]

Here are some ideas where you can get your links placed:

Website content (blog posts, news articles, etc) usually results in a spike of traffic and then it slows down to a crawl. Lists and partner directories on the other hand will give you a more constant flow of traffic.

Just look at these two images below: One is from LinksSpy getting published on ProductHunt – and the other is the traffic from when someone included LinksSpy on their ProductHunt list (with a small spike in the middle when that list was itself mentioned on a newsletter).

01_traffic-spike-producthunt

02_constant-flow-producthunt

Finding Outreach Opportunities

But how does one find these websites? I’m quite sure you could name a few websites in your niche off the top of your head, but that will ultimately give you maybe one or two links – which won’t turn you into an overnight success. You need more; you want more.

Option A is to just Google for it. Use terms like “best $PRODUCT_NICHE in 2015” or “$NICHE blog”. If you want to get really smart(-y) you can use one of the tips from Ann Smarty and search for “blog for us $PRODUCT_NICHE”. You can also use blog directories like AllTop and look for opportunities there. Here’s a quick link you can use: Google search for blogging opportunities (Replace “NICHE” with your own niche after the page loads)

Option B is to use MyBlogU, where people are constantly searching for industry experts to do interview round-ups. Just search through the list and see if you can make a meaningful contribution to any of the interviews. You’ll usually get a nice mention in the process. (Bonus for content marketers: You can post your own interview questions and convert the answers into a blog post with built-in content promotion – all the experts will want to share it)

Option C is a bit more involved. Using OpenSiteExplorer and the URLs of your competitors you can find the places where they get their links from. Knowing where they got their links from allows you to contact the very same websites and get the same links.

This list isn’t complete – there are way more ways to find outreach opportunities. But these three will allow you to find the first few, get your feet wet and experience the success that comes with building links. You can always go deeper later on.

Options A and B are pretty much straight-forward, but you’re likely wondering by now “why would I want to get the same links my competitors already have?”

Well, there’s a reason your competitors are ranking ahead of you in Google’s search results. Aside from them nailing technical/on-site SEO (Read my blog post on bare minimum SEO for designers where I describe the basics), they have more and better links than you have. A little spying on your competition to see what works can’t hurt.

Secondly, getting links from the same websites as your competition will (theoretically) put you on par with them. In reality you won’t be able to replicate the link profile of another website and you wouldn’t want to either, as they might have a bunch of dodgy links. What you can do is combine the best links from a number of competitors, effectively giving you a better link profile than any of your competitors.

When I say “competitor” I use that term loosely. It can be either an actual competitor, another website that ranks ahead of you in the search results, a website in your industry or any number of things. You can use all of them to find valuable link opportunities.

How to Find Websites Linking to your Competition

There is a number of websites that show you the backlink profile of any given website. There is Moz’s OpenSiteExplorer (Which I have mentioned above), then there is MajesticSEO, OpenLinkProfiler, and Ahrefs. They all give you information which websites link to the website (your competitor’s website) under scrutiny, but with varying levels of detail. I generally found Ahrefs to be most accurate, but OpenLinkProfiler and Moz are free(-mium), so we will just use those for now.

Here are the steps you need to take in OpenSiteExplorer to get the valuable links for your competitors:

  1. Open OpenSiteExplorer in your browser
  2. Enter your competitor URL in the form field. e.g.: “www.softwarebyrob.com
  3. Set the following parameters:
    • Target: this root domain
    • Link Source: only external
    • Link Type: link equity
    • select “Group by subdomain & show social/contact links”
  4. This will give you the following search results

04_competitive-analysis-settings-for-opensiteexplorerThis list groups the incoming, external links by the domain they originate from. Additionally links that do not pass SEO juice are filtered out.

Looking through this list you will find some interesting websites you can ask for links. You can also see where the links were published (e.g. blog posts, partner lists). Repeat the process for as many competitors as you like.

When you examine multiple competitors make a special note for each website that links to more than one competitor. For example rachelandrew.co.uk links to the following “competitors” for Andy’s website:

These websites (the ones that link to many competitors) are often a good selection for your first batch of outreach targets. They have given links freely in the past and they have talked about your competition, which suggests they will be open to a cooperation with you. Incidentally, LinksSpy was built to find these websites.

Caveat: You still need to apply sound judgement whether you want a link from a given website or not. Some websites might be ‘dodgy’ and you would risk getting slapped by Google if you get a link from them. Or maybe they are really great websites and you would love to get a link from them, but you know that you won’t get a link from the New York Times a week after launching with six active users.

Putting the “Outreach” into “Outreach Marketing”

By now you should have a list of at least a hundred outreach targets. There are two more steps remaining on your way to making millions of dollars, getting world-famous, and saving the planet. That’s your plan – right?

As a first step you need to find contact details (i.e. the email address) of an author on that website. A few ways to find the right email address:

  • Look around for a “Contact Us” page.
  • Check if the author’s name is a link (if so check that page for his email address).
  • Check the author’s social media profiles.
  • Try to guess the right email address (e.g. firstname@mydomain.com will often work – Rapportive works great for this!).

If all else fails, you can always try your luck with “contact@mydomain.com” or “support@mydomain.com“.

Drafting the Perfect Outreach Email

Lastly, you (just) need to send the actual outreach email. If you’re cold emailing someone, it is best to not ask for favours/links right in the first email. What I recommend instead is to ask for their expert’s opinion on an article you have written. Everyone likes to be seen as an expert and to be asked for their opinion – as long as the topic interests them. Five out of ten times they will – at least – share your article. At this point you’ll be off to a good start: You’ve already got some value (social media mention!) and started to built a relationship that might end in a link for you.

So here are a few tips on how to write a great first outreach email:

  • Include the person’s name in the salutation (“Hi Andy” beats the hell out of “Hi/Hi there/Hiya!”).
  • Keep it short.
  • Do some research. It is really annoying to get emails from people who obviously haven’t bothered to find out what your blog/website is about and who the audience is.
  • Find something you genuinely appreciate about them/their work and mention it.
  • Be sincere. Don’t write something if you don’t mean it.
  • Don’t ask for a link. Repeat: DO NOT ASK FOR A LINK.
  • Keep. It. Short.

Motivational tip: When doing outreach marketing, always set your goal as “send X emails per day”. Don’t focus on “get X positive replies per day” as this is demotivating. “Send X emails per day” makes every email sent a small success, whereas with “get X positive replies” every email sent (without a reply) is a small defeat.

Get started with Outreach Marketing now

Wow. That certainly was a LOT to swallow. So here’s a short recap for you:

  1. Link building/outreach marketing is a long-term strategy that boosts your SEO and PR efforts.
  2. You can do it in an ethical way without spamming blogs/people.
  3. Searching for “$NICHE write for us” on Google and competitive link analysis as described above are excellent ways to find outreach opportunities.
  4. Drafting a good outreach email involves research and the email should be focused around the person you’re contacting.
  5. The immediate goal of outreach marketing is not to get a link, it is to build a relationship. Links and social shares will follow.

You’ve got all the information you need:

  • You have a big list of outreach opportunities now.
  • You have the contact details for each opportunity.
  • You know how to craft an outreach email.

All that is left now, is for you to go out and hit those contacts. Build relationships and you’ll get links.

Christoph Engelhardt is the founder of LinksSpy.com – a SaaS application built to help SEO and PR agencies dig up the most valuable outreach opportunities for their clients’ websites.

It’s great to be in the software products business

hard at work on my software businessThose of us who own software product businesses sometimes grumble about what a difficult business it is. Although its indoor work with no heavy lifting, it has it’s frustrations: software piracy, customers who moan about paying a whole $0.99 for thousands of hours of work, buggy third party software, RSI, chargebacks and the catastrophic consequence of accidentally offending the great god Google, to name but a few.

But reading Kitchen Confidential brought home to me just what a hard business it is to run a restaurant. You have to make a major financial outlay to fit out the restaurant and kitchen. You have rent and staff salaries to pay every month, regardless of whether customers come or not. Staff turnover is generally very high in the catering business, so you are continually having to hire new staff. You have to deal with drunken, unreasonable and dishonest customers. Possibly also drunken, unreasonable and dishonest staff, who have ready access to sharp knives and boiling liquids. Theft by staff can be a real problem. You have highly perishable stock. If you don’t order enough, you have to turn people away. If you order too much, you have to throw away the excess or risk poisoning your customers. You have endless deliveries from suppliers, which you have to check to ensure they are the correct amount and quality. You have to keep the restaurant clean. Extremely long hours are standard. Even if you are doing well, you can’t seat more people than the restaurant can physically hold. A restaurant that has to turn people away Fridays and Saturdays might be empty on Monday. And success brings its own problems as you can only increase the scale of the operation by expensive and disruptive  measures such as opening a new restaurant or moving venue. The relentless overheads of staff, rent and stock mean that cash flow is a huge issue. It’s no wonder that restaurants fail so frequently.

Running a software product business is pretty cushy by comparison. You can start your own software product business with just a PC and a generous dollop of time. Nearly all the issues related to manufacturing, suppliers, stock and shipping go away when you are dealing with electrons rather than atoms. If you do make a mistake, you can usually put it right just by making another release. The worst a disgruntled customer is likely to do is post a snarky comment on a forum or send you a nasty email. High margins and low overheads means that cash flow is much less of an issue than for most other businesses. Software businesses also scale much more easily than other businesses. You aren’t tied to a particular location and don’t even need to rent an office building (billion dollar company Automattic has a fully distributed workforce and no company office).

The software business is a great business to be in!