Google’s Monopoly is Stifling Free Software

byuu
byuu
Dec 29, 2019 · 3 min read

Google has an undeniable monopoly on search, and a near-monopoly on web browsing software via Chrome and its forks. And even alternative browsers such as Mozilla’s Firefox reference Google’s Safe Browsing service to decide on the trustworthiness of downloads.

Stopping the spread of malware is a laudible goal, but a consequence of this is directly harming free and open source software developers from being able to release their software without paying expensive certificate authority rent-seeking fees.

If a software developer attempts to release a new version of their software online, they’re likely to be met with this warning in their Google Search Console:

Google security warning when a FOSS developer releases new software.
Google security warning when a FOSS developer releases new software.

By definition and with no exceptions, all software is uncommon when it is first released.

It doesn’t matter that you’ve had your domain for fourteen years without ever having hosted anything malicious:

Domain registration information
Domain registration information

It doesn’t matter if none of seventy-two virus scanners flag any malicious content in your executable:

Virus Total results indicating a clean executable
Virus Total results indicating a clean executable

It doesn’t matter if you request a review from Google which comes back clear:

Google review results
Google review results

The warnings just come back, often times on the very same file you’ve already had reviewed.

This isn’t just a scary warning that is easily ignored: web browsers will warn users that your software might be malicious. And it’s clear from Google’s warning that it considers your site compromised, which can lead to search result penalties including delisting.

This in spite of the fact that you’ve done nothing wrong other than release software onto the web.

This process is totally opaque: How many downloads are needed before the software is no longer considered uncommon? How long can your site host an uncommon download before a penalty is applied to it in search? Will obtaining a Windows code signing certificate alleviate these warnings or not? Does it have to be an EV certificate?

So let’s say you want to get a code signing certificate to see if that helps:

Code signing certificate for sale
Code signing certificate for sale

What a deal for a small free software developer. Also, you need to have a registered business that is verified by the Better Business Bureau to receive your EV certificate.

If you’d like a regular certificate, you can do so by attaching your public legal name to your software and sending in a copy of your driver’s license. And that is to say nothing of the risks you take these days online by publishing your legal name.

And even if you do all of this and start signing your executables, I still can’t find any assurance whether Google will begin to treat these executables as safe or not.

In my own case, this has effectively prevented me from releasing compiled binaries of my own software going forward. If code signing is a requirement to distribute free software, then we need a Let’s Encrypt-style alternative for code signing— yesterday. If not, then Google needs a policy change on how it handles new software releases from free and open source software developers.

byuu

Written by

byuu

Developer of the bsnes and higan emulators.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade