Deciding to Download Software from the Internet

February 19, 1997

Unlike software in retail stores, software on the Internet is not labeled or "shrink-wrapped." As a result, you may not know for sure who published a piece of software, what the software will do on your computer, or whether the code has been tampered with.

Microsoft has developed Authenticode™ technology, a feature in Microsoft® Internet Explorer 3.0, to help address these concerns. When you download a piece of signed code to your computer, Authenticode verifies that the code hasn't been tampered with. In addition, Authenticode technology irrefutably identifies the publisher of signed software through a digital certificate.

The certificate shown below displays who published the executable (in this case, Microsoft). If you trust this publisher, you may choose to install and run this executable by clicking "Yes". If you do not recognize and trust the software publisher, Microsoft recommends that you not install and run the executable.

The software publisher also uses this certificate to digitally sign or "seal" its software -- similar to the safety seal on a bottle of aspirin or the shrink wrap on packaged software. If a third party has tampered with the software, the seal is broken and Internet Explorer will neither install nor run the code when you use the default safety level of High. In addition, by default, Internet Explorer will not download unsigned code. This certificate does not attest to the quality of code. However, it is an additional safety measure protecting you from tampered or anonymous code.

In this example, Microsoft's software publisher certificate is issued by VeriSign , a Certificate Authority for digital certificates. In order to issue a commercial software publisher certificate, VeriSign must be able to authenticate the identity of the person and organization applying for the certificate. For more information about VeriSign's Digital ID services, please visit the VeriSign Digital ID Center .

Tips:

1. We strongly recommend that you keep your Safety Level at "High" to ensure that Internet Explorer 3.0 downloads only signed code to your computer. (From the Internet Explorer View menu, click Options, click the Security tab, and then click Safety Level.)

2. Before you download software to your computer, it's a good idea to find out more about the software publisher or the issuer of the software publisher credential. To do this, click the software publisher or credential issuer hyperlinks to go to Web pages that contain this information.

3. If you feel uncomfortable downloading any active content to your computer, you can turn off the "Allow downloading of active content" option. (From the Internet Explorer View menu, click Options, click the Security tab, and clear the first checkbox.) When this option is unselected, Microsoft Internet Explorer 3.0 will not download any active code to your computer, regardless of whether this code is signed or unsigned. This includes all types of software that provide animation or multimedia content, including Java™ applets and ActiveX™ controls.

4. Microsoft Internet Explorer 3.0 also enables you to control the types of code that run automatically on your computer, specifically ActiveX controls, ActiveX scripts, Java applets, and plug-ins. (From the Internet Explorer View menu, click Options, click the Security tab, and check the desired boxes in the Active Content section.)

© 1997 Microsoft Corporation. All rights reserved. Legal Notices.