You’ve probably heard recently about “Heart Bleed” and the vulnerability of SSL certificates and web sites. SherWare’s web site and the online reporting web site were not affected. We do use SSL certificates on our sites but they weren’t generated with the Open-SSL vulnerability.
Not only do we use SSL certificates for the web sites, we also use digital code-signing certificates for our applications. What is a code signing certificate? In the words of wikipedia:
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.
Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying; in some programming languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other meta data about an object.
What this means is that we attach a digital code-signing certificate to our applications so that when you run them, especially across a network, Windows will tell you who the author of the application is and we’ll be able to tell if it has been modified since we released it to you.
Obtaining a Certificate
To obtain a digital certificate for code-signing an application you have to purchase the certificate from a certificate authority and then go through a validation process so that the certificate authority can verify that the company applying for the certificate is who they say they are. The process typically takes a couple of days.
QuickBooks and Certificates
If you’re using the integrated version of the Disbursement and JIB Manager, you’ll have seen the following dialog when connecting to your QuickBooks company the first time.
QuickBooks identifies the application that is connecting to one of its data files by the digital certificate that is attached to the application. If the certificate is invalid, QuickBooks won’t let the application connect to the company requested.
You’ll also see this dialog when we renew our certificate, which we just did on April 1st.
Windows XP and Certificates
It’s hard to believe that many companies are still using Windows XP on their desktops. I’m sure the mentality is, “If it isn’t broke, don’t fix it.” In the case of digital certificates, Windows XP is starting to break if it hasn’t been updated to Service Pack 3.
All digital certificates are signed with a cryptographic hash. The most common has was SHA1 until recently. SHA1 is being phased out because of security flaws that have been detected and SHA2 is being implemented. Windows XP won’t recognize a digital certificate signed with SHA2 unless it has been udpated to service pack 3. What you’ll see is a message stating that the applications digital signature is invalid.
The certificates that SherWare use are signed with SHA2, so if you’re still using Windows XP, make sure it it upated to service pack 3 (SP3).
We’ve found that even most Win XP SP3 systems don’t support the SHA256 Encryption hash. In order to get a signed DMIE application to work with QB you’ll need to upgrade to Windows 7 or 8.
Source: Hubspot Support Blog