Verify extension publisher domain ownership to help users easily assess their authenticity and credibility

[chrisraygill]

Problem

We have gotten consistent feedback from VS Code users that they don't feel confident determining publisher authenticity and trust, especially when choosing among several similar or forked extensions.

Proposal

We can enable publishers to verify ownership of an identifying domain to support their authenticity and credibility. Well known entities will verify ownership of their most recognizable domain (i.e. google.com. github.com, etc). Individual publishers can verify ownership of their personal/professional websites which may contain blog posts, a CV, social media links, and more to help consumers verify their authenticity and gauge their credibility.

We can automatically verify ownership of a domain by checking for the presence of a unique DNS TXT record - the same approach used by GitHub to verify domains owned by an organization.

The verified domain will be displayed alongside the publisher name in the VS Code search results, in the extension details, and on the Marketplace website. See the mock-ups section for further details.

Mockups

VS Code

Marketplace website

coming soon...

Prior art

GitHub verified organizations

Pub.dev verified publishers

Edge/Chrome Extension Stores

Q & A

Q: Why verify domain ownership over verifying GitHub account?

• We don't want to be overly biased toward GitHub users since many prominent publishers are not.
• Not all companies or well-known entities have a GitHub organization, but all of them have a website.
• It's easy to find examples of GitHub accounts that resemble well-known entities, but aren't actually associated with them: see https://github.com/redhat.

Q: Why verify domain ownership over having the Marketplace team manually verify identity?

• Verifying identity is meaningless for most individual publishers while clearly displaying a verified domain invites cautious users to learn more about the publisher.
• Automatic verification is a solution that will easily scale with VS Code's growing extension ecosystem.
• Automatic verification removes potential for bias as opposed to us choosing who gets to be verified - a frequent subject of contention on platforms like Twitter.

Q: What if a malicious actor buys a deceptive domain?

• Verified domains will be protected by typo-squatting protection, so a malicious actor would fail to verify "mlcrosoft.com" or "github.us" for example.
• The Marketplace team will investigate all abuse claims and evaluate validity.

[chrisraygill]

The current mockups are based on some initial feedback from a Twitter post where I presented a few potential ideas.

In general people seemed to like the simplicity of # 1 and the explicitness of # 3. Completely exchanging the existing display names for the verified domain (the pub.dev approach) seems to be too drastic a change, and many users were concerned about losing brand recognition.

In this proposal I'm driving # 3 forward as the explicitness should provide the best experience for more security-conscious users and makes it clear that we are only verifying the domain, not the identity of the publisher.

[miguelsolorio]

Did you ever explore doing a combination of 1 and 3?

I do agree that 1 is simpler so wondering if there's a way where both versions can co-exist.

[chrisraygill]

@misolori I did not! However, I did get feedback from several users that they preferred the checkmark being next to the domain to make it clear that it is the domain, not the publisher directly, that is being verified - an important distinction.

That being said, your example looks far more aesthetic than anything I had 😁 Any ideas how we can keep the clean look but make the conceptual link between the checkmark and domain clearer?

[bmvantunes]

I really love to see this 👍

On twitter I was 50/50 between option 1 and 3, but I think I ended up voting for option 1.
I love how clean option 1 is, but also love the extra information given by option 3.

If I remember correctly, I suggested on twitter something that combines both, basically the same idea that @misolori suggested here, but with a slightly different implementation.

I suggested we could have option 1 and when the user hovers the verified checkmark we could show the label "This publisher has verified ownership of GitHub.com" - it is clean and gives all the info for users that want to see it (by mouse hover on the blue checkmark) :)

Regardless of which option ends up being implemented, all these options will give users a much higher level of confidence in the extensions they are installing. Confidence is the most important aspect of this new feature (in my opinion) :)

Great job!

[idan]

This is dope!

I wrote some design + informational choices feedback on the original thread, resurfacing here in screenshot form for easy reference :)

[latere-a-latere]

Any reason why the Twitter-style checkmark hasn't been considered? By that I mean showing the checkmark next to the title rather on a new line.

[chrisraygill]

Any reason why the Twitter-style checkmark hasn't been considered? By that I mean showing the checkmark next to the title rather on a new line.

@marnicgit The checkmark is near the publisher name and domain instead of the extension title to make it clear what is being verified. The idea of the checkmark is to show that we have verified control of the domain which is supposed to help support the authenticity/credibility of the publisher.

We don't want to necessarily give the impression that we have done any special security checks of the particular extension that make is guaranteed to be safe.

[latere-a-latere]

That makes sense, thanks for the quick explanation

[isidorn]

@chgill-MSFT This is cool work. We should bring it up in one of the UX calls.
Some early feedback:

• We are now using a large custom hover in the Extensions view, so the hover will look completely different
• I understand Twitter and some other companies use color blue for verified. However I think green is a much better choice because:
  • Green is reassuring and this is something positive
  • GitHub also uses green for both Light and Dark theme
  • All VS Code buttons are blue, and this is something which is not actionable
• Hover should be "This publisher has verified ownership of DOMAIN", so it should be dynamic based on domain name

Though I am sure we will have more feedback in the UX call. However from the VS Code UX side this is not a big item, I suggest that we discuss this once Marketplace supports this.

Upstream issue microsoft/vsmarketplace#39

[isidorn]

This is work in progress on the Marketplace side. Current plans are that there should be an initial support for this in October. Thus moving to October milestone.

[sandy081]

Verified publisher (domain) is shown as follows in various places:

@misolori At present I am using verified codicon and defined a color as follows - It would be great if you can replace it with filled verified icon and also update colors accordingly

vscode/src/vs/workbench/contrib/extensions/browser/extensionsIcons.ts

Line 27 in 45fdad3

export const verifiedPublisherIcon = registerIcon('extensions-verified-publisher', Codicon.verified, localize('verifiedPublisher', 'Icon used for the verified extension publisher in the extensions view and editor.'));

vscode/src/vs/workbench/contrib/extensions/browser/extensionsWidgets.ts

Line 502 in 45fdad3

export const extensionVerifiedPublisherIconColor = registerColor('extensionIcon.verifiedForeground', { dark: '#0E639C', light: '#007ACC', hc: null }, localize('extensionIconVerifiedForeground', "The icon color for extension verified publisher."), true);

[miguelsolorio]

Updated the icon to a solid and used the link color for the icon (which themes better):

[sandy081]

Please reach out to me in Slack/Teams for verification steps

[gjsjohnmurray]

Not yet seeing this in Insiders:

[chrisraygill]

Hi @gjsjohnmurray! The screenshot from Sandeep is of our testing instance. We don't yet have any publishers verified in production - but expect to start seeing some verified publishers soon 😉

[miguelsolorio]

We now have a couple of extensions verified in the marketplace (via Insiders)! Thanks to @chgill-MSFT for working on getting them verified this week!

[isidorn]

Great work 👏
I love how this ended up. And I love the solid style icon 😍

[gjsjohnmurray]

Agreed, great work 🎉

@chgill-MSFT what is the best pathway for getting my publisher domain ownership verified?

[chrisraygill]

Hi @gjsjohnmurray, a streamlined workflow to verify your publisher domain directly through the Visual Studio Marketplace publisher management page will be available by November 15th.

If you would like to be among the first notified when it's available, you can sign up here for an email notification: https://aka.ms/verified-publisher-sign-up.

[chrisraygill]

Hi y'all!

Happy to say that you can verify your publisher through the Marketplace website 🎉