Windows 10 Defender does not like Vassal 3.6.14

Greetings!

I am brand new to Vassal but a medium level board gamer. My Windows 10 Defender does not like Vassal 3.6.14. What can I do? I want to make sure that I don’t download anything harmful to my computer and I am not an IT expert.

Thanks,

Patrick

Help with getting past hyperactive Windows Defender

Thanks, Joel. However, I am a bit confused. Vassal’s program is not “signed.” Why not?

As I said in 2020: “Code signing has always struck me as providing little assurance to the user on one side, and as sort of a racket for companies selling code signing certificates.”

The only change you’d see on Windows, so far as I know, is a dialog with a some different wording and maybe no yellow bar when you go to run the installer.

I remain confused, Joel: I am not an IT expert, but would it not just be easier to “sign” the program (code) to ensure there are no glitches with users like me?

BTW I found this from Microsoft:

"Code signing provides some important benefits to application security features like Windows Defender Application Control (WDAC). First, it allows the system to cryptographically verify that a file hasn’t been tampered with since it was signed and before any code is allowed to run. Second, it associates the file with a real-world identity, such as a company or an individual developer. "

Just curious–I am still trying to understand why it would not be a good thing to sign it, and what is the downside of doing so, given what I found online above (though I am far from an expert on this).

Thanks, Patrick

Hi,

My 2¢ on signing binaries.

To sign an application means that you attach a private key to the application. A key is a big number. When the application is about to run, the Operating System (OS - e.g., Windoze, MacOuze, Linux) will try to verify the key by using a public key (another big number) according to some algorithm. If that succeeds, then the OS may decide to trust that the application isn’t malicious, if the public key is trusted. That typically means that there’s a chain of trust that leads back to the OS provider (via signed certificates).

Now, a private key is … well … private. That means only a single person (or small group of persons) have access to it. In terms of software signing, that means that the developer, or developer group, has the private key.

That also means that if software A is built by someone other than the developers, then they cannot sign the built binary application, since they do no have access to the private key. Thus, the application isn’t the same as the original.

VASSAL is OpenSource Software (OSS - licensed under the GNU Lesser General Public License 2.1 - AKA LGPL-2.1 - see the LICENSE file in the distribution - which you already read right?). One of the promises made by OSS is that the original developers do not have particular privilege over the software - anyone can pick it up, modify it, expand upon it, fix problems, tailor it to their needs (think VASL). Another promise is that you can always audit the code yourself (or get someone you trust to do it), so that you can satisfy yourself that the software isn’t malicious.

Code signing sort of goes against the first idea (no privilged position). If VASSAL developers signed the application, then it would put them in a privileged position.

Now what are the ramifications of signing or not signing

• an OS may completely reject applications that have not been signed with a trusted key (iOS for example - which is how the Führer von Appfel can hold a tight grip on the dominions)
• an OS may sandbox an unsigned application meaning it will not be able to access resources outside of a well-defined boundary. This could be done to ensure that an unsigned application cannot access sensitive (think net-banking) communications via security holes in the OS (buffer overflows, etc. - something Windoze is pretty littered with). Alternatively, an OS could decide to not allow some signed and unsigned applications to run at the same time.
• Other OSs may decide to trust the users to make informed decisions, and only set up (de-centralised) signing and certificates on the distribution side (most Linux distros).
• A signed application is no guarantee against malicious code. To ensure an application is not malicious - by design or otherwise - some one has to audit the code in minute detail. Who that someone is is to some extent the crux of the problem. in OSS, it is essentially the end users or their agents. The idea being that “given enough eyes, all bugs [and vulnerabilities] are shallow.” to slightly paraphrase E.S.Raimond. In the proprietary world it is often left to some third party who may or may not have the best of intentions, which is wholly opaque to the end user.

Finally, to get your signature approved (signed by other authority) is typically a rather expensive thing to do. Given that the benefits are small - at least for OSS and something like VASSAL, it makes sense not to incur that cost.

Yours,
Christian

Thank you Christian. This is very interesting and helpful. I had no idea there was a significant cost involved, and I did not realize VASSAL was OSS–I just like to play board games.

Thank you.

Best, Patrick

If you want to verify the integrity of the installer you’ve downloaded, you can already do that—we’ve published SHA256 hashes for every release back to 3.2.17. I have yet to hear from anyone who has checked a hash, which makes me suspect that genuine concern among users about the integrity of our downloads is rare.

The security you get from a signed installer is knowing it was signed by somebody who had the certificate used to sign it. That’s pretty much it. You don’t even know that the somebody doing the signing was the same somebody who bought the signing certificate. Moreover, somebody who isn’t us could sign our Windows installer and put that out on the internet, and that would still show up in Windows as signed. It wouldn’t show up as being signed by us, but to notice that you’d have to read the dialog more carefully than most people do. What they couldn’t easily do is make their installer downloadable from our site (or GitHub account). The moral here is that paying attention to where your download is coming from matters more than whether it is signed.

That said, I’d be happy to sign the Windows installer if Windows would accept signatures with certificates from a free certificate authority like Let’s Encrypt, but as it stands they don’t. Microsoft needn’t have set things up this way, so the fact that they did smells of an attempt to stifle people who won’t or can’t pay. (This situation is worse with MacOS, where Apple insists you buy a signing certificate from them. At least with Microsoft’s signing certificates, you can buy them from the usual bloodsuckers certificate resellers.)

I would not, on the other hand, be happy about requiring anything to be signed for it to work, as that denies anyone the freedom to reuse, tinker with, and otherwise modify our code.

I have yet to be persuaded that there’s a net benefit to paying for a signing certificate (or two, since we’d need one for Windows and one for MacOS, and they expire, so it would be a recurring expense) and setting up the infrastructure to do the signing just so a dialog people see when they install shows a different message.

Hi Joel,

Thanks for your very detailed note. I will download VASSAL, and “override” the Windows Defender warnings. The main thing that I did not udnerstand is that VASSAL is OSS,
but Wow, I have learned a lot in the last two days about this…

Whoops, hit send a bit quick there. I was going to also say, Joel, thanks for the tip on checking where the software is coming from.

Thanks for everyone’s notes. What an education…

Happy gaming!

Patrick

OK, I downloaded VASSAL. True to form, Microsoft made sure every step was highlighted in yellow or orange, to show what a bad person I am.

Best, Patrick