Google has an undeniable monopoly on search, and a near-monopoly on web browsing software via Chrome and its forks. And even alternative browsers such as Mozilla’s Firefox reference Google’s Safe Browsing service to decide on the trustworthiness of downloads.
Stopping the spread of malware is a laudible goal, but a consequence of this is directly harming free and open source software developers from being able to release their software without paying expensive certificate authority rent-seeking fees.
If a software developer attempts to release a new version of their software online, they’re likely to be met with this warning in their Google Search Console:
By definition and with no exceptions, all software is uncommon when it is first released.
It doesn’t matter that you’ve had your domain for fourteen years without ever having hosted anything malicious:
It doesn’t matter if none of seventy-two virus scanners flag any malicious content in your executable:
It doesn’t matter if you request a review from Google which comes back clear:
The warnings just come back, often times on the very same file you’ve already had reviewed.
This isn’t just a scary warning that is easily ignored: web browsers will warn users that your software might be malicious. And it’s clear from Google’s warning that it considers your site compromised, which can lead to search result penalties including delisting.
This in spite of the fact that you’ve done nothing wrong other than release software onto the web.
This process is totally opaque: How many downloads are needed before the software is no longer considered uncommon? How long can your site host an uncommon download before a penalty is applied to it in search? Will obtaining a Windows code signing certificate alleviate these warnings or not? Does it have to be an EV certificate?
So let’s say you want to get a code signing certificate to see if that helps:
What a deal for a small free software developer. Also, you need to have a registered business that is verified by the Better Business Bureau to receive your EV certificate.
If you’d like a regular certificate, you can do so by attaching your public legal name to your software and sending in a copy of your driver’s license. And that is to say nothing of the risks you take these days online by publishing your legal name.
And even if you do all of this and start signing your executables, I still can’t find any assurance whether Google will begin to treat these executables as safe or not.
In my own case, this has effectively prevented me from releasing compiled binaries of my own software going forward. If code signing is a requirement to distribute free software, then we need a Let’s Encrypt-style alternative for code signing— yesterday. If not, then Google needs a policy change on how it handles new software releases from free and open source software developers.