ClickOnce and permission elevation prompting in the internet zone

re: ClickOnce and permission elevation prompting in the internet zone

dominick — Wed, 01 Mar 2006 03:14:47 GMT

Hi,

maybe you should have referenced the original blog post to get the full picture.

it is here:
http://www.leastprivilege.com/BewareBeAwareOfClickOnceDefaultSettings.aspx

cheers
dominick

re: ClickOnce and permission elevation prompting in the internet zone

dominick — Wed, 01 Mar 2006 03:30:41 GMT

Ah - btw - you cannot completely disable ClickOnce by zone - even when prompting is set to disabled - apps with certs from the trusted pub folder can elevate.

cheers
dominick

re: ClickOnce and permission elevation prompting in the internet zone

Rudolph — Wed, 01 Mar 2006 03:35:42 GMT

Jen's scenario is why the policy was meant to eb customizable. I dont think anyone questions that. I think we question why that is being shipped as the default.

re: ClickOnce and permission elevation prompting in the internet zone

Patrick Hynds — Wed, 01 Mar 2006 05:05:48 GMT

I am unconvinced. I think that new technologies (like ClickOnce and .Net) should strive to improve security rather than hide behind bad models that happen to already exist. I think you are hurting the fight to show that MS can do things securely which on many other fronts strong advances have been made.

Secure by default should be the mantra, not secure when convenient.

Thanks
Patrick

re: ClickOnce and permission elevation prompting in the internet zone

Saurabh — Wed, 01 Mar 2006 05:37:17 GMT

Dominik Thx for including the post.

And yes you can disable "ClickOnce prompting" per zone but NOT "ClickOnce". Applications signed by Trusted Publishers will still run ...

re: ClickOnce and permission elevation prompting in the internet zone

Saurabh — Wed, 01 Mar 2006 05:53:46 GMT

Hey Rudolph,
Jen's scenario is one where if it was a requirement for her friends to apply custom ClickOnce policy before installing her "Hobbyist App", the scneario would have been a non starter. They would just have decided to not try her app out, prompting her to move to having them just download the exe and run locally.

After our Beta2 release we concluded that we were not really adding any security by disabling prompting for internet ClickOnce apps, for it was very easy in for malicious Apps to bring up a prompt anyway. I just use Jen here to bring forth the point that while not really adding to security we were inconvniencing a set of our customers and potentially driving them to make worse security decisions.

ClickOnce and Permission Elevation

Brad Abrams — Wed, 01 Mar 2006 06:52:39 GMT

ClickOnce is a very cool client application delivery system that we shipped in V2.0 of the .NET Framework...

Click Once misses the Pit of Success

Jason Whittington — Wed, 01 Mar 2006 07:02:00 GMT

With all due respect, this completely misses the point. Perhaps you've heard Rico Mariani talk about "the pit of success" which he defines as follows:

"The Pit of Success: in stark contrast to a summit, a peak, or a journey across a desert to find victory through many trials and surprises, we want our customers to simply fall into winning practices by using our platform and frameworks. To the extent that we make it easy to get into trouble we fail."

So now look at your scenario. Jen is a .NET enthusiast, enthusiastic to get her software out the door. The path of least resistance (the pit) for Jen is to just specify FullTrust whether she needs it or not. You say "Today...Jen can use ClickOnce to downloaded her App and run in the Intranet sandbox." but this requires *more work* - Jen has to debug her app in the Intranet zone and do her best to figure out what permissions she needs. Your customers security depends on Jen going the extra mile here. Multiply by a million and once again you train your user base to click OK for everything, rather than seeing a need to press OK as unusual and risky.
The pit leads to a less secure environment for everyone, especially my mother-in-law who will click "Yes" on any dialog whatsoever :)

Requiring Jen to get a certificate changes the dynamic. As you say, it's a pain for Jen to do that, so the path of least resistance is for Jen to do the right thing with CAS. Jen would learn better security habits and my grandmother would be a little safer. That is much better for your customers, even if it inconveniences Jen.

Your argument that following the ActiveX model will lead to wider adoption is specious at best. ActiveX has caused all kinds of problems for Microsoft's customers because one click gives the software carte-blanche on the machine. I think your community would prefer that you start to address this rather than continue down the same road that has brought a lot of the spyware problems to begin with.

re: ClickOnce and permission elevation prompting in the internet zone

Jason Whittington — Wed, 01 Mar 2006 07:27:30 GMT

I forgot to add - I have shown ClickOnce to hundreds of developers over the last year and a half (ever since the MAGEUI days). The audiences I saw were generally pleased when I showed them that ClickOnce refused to install unsigned code coming from the Internet zone. Now I always see some of them rolling their eyes and groaning when I show them this behavior. Several have asked me why I bothered showing them CAS at all if it can be subverted so easily. So I'm not sure the developer community is really that enthusiastic about this particular policy decision.

ClickOnce and permission elevation prompting in the internet zone

ClickOnce Team Blog — Wed, 01 Mar 2006 15:53:55 GMT

Saurabh put together interesting article around this issue.&nbsp;
http://blogs.msdn.com/saurabh/archive/2006/02/28/540878.aspx...

re: ClickOnce and permission elevation prompting in the internet zone

Saurabh — Wed, 01 Mar 2006 22:55:05 GMT

Jason reading through your comment it seems the part where our thinking degresses is this -
You believe the inability to prompt for elevation would have forced Jen to build a App that works is the internet sandbox.

I am assuming here Jen has doen all the due security deligence and decided the minimum security set App requires is IntrAnet - which is a very realistic assumption for a large set of Apps today.

I believe that the inability to prompt for elevation would have taken her down the path of least resistance which was to have her friends downloaded the exe.

re: ClickOnce and permission elevation prompting in the internet zone

Jason Whittington — Thu, 02 Mar 2006 00:27:38 GMT

Saurabh - why are we even talking about Jen and her friends on myspace [err, "MSN Spaces" :) ]? "Jen and her friends" is a largely irrelevant scenario relative to "I want to sell my ClickOnce app to millions of people". Jen and her friends may think ClickOnce is just a sick cool way to distribute new versions of the Hampster Dance, but they are not going to be driving worldwide adoption of ClickOnce as a commerce technology.

Jen is considered trustworthy by her friends. They know Jen so they feel comfortable giving her code a trusted role on their machines. Jen's hippie friends would probably even be willing to add Jen as a trusted CA, at which point Jen can ask for fulltrust no problem. Jen could even send her friends an EXE that does the CA meddling. Her friends would probably be willing to run that EXE, but they're her friends.

Once Jen graduates from college and decides to pursue her fortune distributing "Happy Hampster dance: Enterprise Editiont" to a mass audience she's going to find that she can't rely on the world trusting her the way her college friends did. This is as it should be. In the Beta 2 world you forced Jen to grow up a little and pass some minimum bar of trustworthiness / accountability if she wanted internet distribution. You're doing your customers [and Jen's] a favor here by forcing Jen to either live within partial trust or get at least some minimum amount of accountability by using a cert.

If she doesn't want to do those things sure she could choose ActiveX or the updater block or write her own but presumably ClickOnce is evolving into a killer technology to where Jen will be at competitive disadvantage if her software doesn't use it. Personally I think the trust story is a big part of that.

The reason I object the final bits is that Jen doesn't have to change the habits that worked with her college dorm buddies - she can ask for fulltrust just like she used to do
and tell the world to trust her just like her friends do. ClickOnce does little to help protect users in this case, and it gives Jen little incentive to tighten up the sloppy security practices she learned as a hobbiest.

ClickOnce Security in .NET 2.0

Mike Taulty's Weblog — Fri, 03 Mar 2006 13:08:06 GMT

re: ClickOnce and permission elevation prompting in the internet zone

Eric Cosky — Sat, 04 Mar 2006 11:49:52 GMT

ClickOnce seems to be great stuff and I'm excited about it. From what I know so far the security behavior seems very similar to what I see from Java applets which is IMHO the right level of prompting.

re: ClickOnce and permission elevation prompting in the internet zone

SSG — Tue, 07 Mar 2006 23:49:32 GMT

I like to think that the unsigned ActiveX debacle was born of naiveté: you're nice guys and you thought everyone else was, too. But by now you should know that this isn't the case and make the same mistake again is unforgivable.

You claim that security is paramount to Microsoft, these days, and then you say 'we're just doing the same as we do elsewhere'. You should be striving to be better than you were before, because before, you simply weren't good enough.

I'm a .NET developer and I love some of the new stuff in 2.0 but once again, you've let the marketing guys set the rules.

re: ClickOnce and permission elevation prompting in the internet zone

Nikhil — Wed, 08 Mar 2006 13:16:19 GMT

I agree with Jason. You guys should get your priorities sorted out. Security comes before Golf handicaps.

re: ClickOnce and permission elevation prompting in the internet zone

Steve Rodgers — Wed, 08 Mar 2006 13:25:19 GMT

I recall the leaked memo from BillG to all staff a few years ago that sited the company wide security push needed to make the platform usable again after the trojan / virus nightmare so many people have been living in. The fear then was that it would become unusable and that people would move to other platforms if nothing was done about it.

I distinctly recall my brother moving to the Mac 2 years ago after he gave up on the instructions I was feeding him to remove spyware from his XP installation.

I cannot believe that the interests of the hobbyist take precedence over the security requirements of a global platform. This doesn't strike me as a decision based upon experience. It feels like we're going backwards. CAS was designed to prevent exactly this situation...and by the way...most end users will push the "Run" or the "Yes" button when they see a complex dialog asking them questions about security or trust.

Whatever happened to the "Secure by design, secure by default, secure in deployment" mode of thinking? One can only imagine how Michael Howard is feeling about all this.

re: ClickOnce and permission elevation prompting in the internet zone

Mikey — Wed, 08 Mar 2006 13:31:40 GMT

Yep - my aunty wants to publish something on the internet without buying a cert or knowing what CAS is, so we should let anyone publish and prompt the user to run code...

If my aunty wants to do this stuff, she should know how to do it properly rather than ClickOnce bypassing basic security concepts like internet vs intranet/trusted vs restricted.

Now this has shipped with what outwardly appears to be 'DANGEROUS' default settings, most IT departments will think this is just equivalent to allowing unsigned ActiveX controls. Have I missed the point, or has MS?

.NET Resources

mattonsoftware.com — Sat, 06 May 2006 11:29:20 GMT

The following links to .NET resources have been collated over time with the assistance of colleagues.&nbsp;...

Saurabh Pant s Weblog ClickOnce and permission elevation prompting in | Cellulite Creams

Tue, 09 Jun 2009 06:04:59 GMT

PingBack from http://cellulitecreamsite.info/story.php?id=6350

Saurabh Pant s Weblog ClickOnce and permission elevation prompting in | work from home

Tue, 16 Jun 2009 14:11:10 GMT

PingBack from http://workfromhomecareer.info/story.php?id=33928

Saurabh Pant s Weblog ClickOnce and permission elevation prompting in | bar stools

Fri, 19 Jun 2009 09:36:44 GMT

PingBack from http://barstoolsite.info/story.php?id=7830