Re: ClickOnce Security Risk

From: "Steve Gerrard" <mynamehere@xxxxxxxxxxx>
Date: Fri, 28 Mar 2008 19:40:07 -0700

NickP wrote:

Hi there,

I've discovered what I believe to be a security risk with
ClickOnce. I have only just started publishing my application using
our own Trusted certificate, before this I was using a test
certificate.
The problem is that when I published a new build with the new
certificate and then updated the client on a separate machine, it
didn't even warn me that the signature did not match the previous
version. Surely this is a security risk? So basically I could
create an application with the same name / guid etc, use a test
certificate with a similar company name and then overwrite the app
and the user would be none the wiser...
Unless I've missed the point somewhere along the lines of course.

I'm surprised, I have seen exactly the opposite, any change in certificate being
considered completely invalid. Did the user run the update from a shortcut on
their machine, or go to the web site again? You may have simply installed a new
program on their machine, not updated the old one.

.

Follow-Ups:
- Re: ClickOnce Security Risk
  - From: RobinS

References:
- ClickOnce Security Risk
  - From: NickP

Prev by Date: Re: GZip Compression :(
Next by Date: Re: Odd resonses from VB9
Previous by thread: ClickOnce Security Risk
Next by thread: Re: ClickOnce Security Risk
Index(es):
- Date
- Thread

Relevant Pages

Re: More problems with ISA 2000+SBS2k3
... You should not use the certificate with 'publishing' when running CEICW. ... But now I cannot see OWA or RWW from outside! ...
(microsoft.public.windows.server.sbs)
Circular fix for listener using private certificate
... The certificate used by the server published by the SBS Windows SharePoint ... Services Web Publishing Rule Web publishing rule does not match the name ... The GoDaddy cert uses a friendlyname of MyDomain and has ...
(microsoft.public.isa)
RE: SBS2003 and OWA
... 3.Are you publishing only OWA? ... If you are using ISA, ... Server Publishing is simply port forwarding ... IIS) authenticates the User, the website certificate is ...
(microsoft.public.windows.server.sbs)
Re: Trouble installing SSL
... External name of the site you are publishing. ... certificate should have mail.domain.com in the subject name. ... You may have to put a host file on your ISA server with the entry ... Follow the wizard prompts to complete the installation procedure. ...
(microsoft.public.isa)
Re: ClickOnce Security Risk
... I have only just started publishing my application using ... our own Trusted certificate, before this I was using a test ... Surely this is a security risk? ... The certificate basically assures the user that the source of the application is a known and valid source, ...
(microsoft.public.dotnet.languages.vb)