Re: ClickOnce Security Risk

Tech-Archive recommends: Speed Up your PC by fixing your registry

---

• From: "RobinS" <robins@xxxxxxxxxxxxxxxx>
• Date: Sat, 29 Mar 2008 16:20:15 -0700

---

"Steve Gerrard" <mynamehere@xxxxxxxxxxx> wrote in message news:57KdndkWiMlpNnDanZ2dnUVZ_siknZ2d@xxxxxxxxxxxxxx

NickP wrote:

Hi there,

I've discovered what I believe to be a security risk with
ClickOnce. I have only just started publishing my application using
our own Trusted certificate, before this I was using a test
certificate.
The problem is that when I published a new build with the new
certificate and then updated the client on a separate machine, it
didn't even warn me that the signature did not match the previous
version. Surely this is a security risk? So basically I could
create an application with the same name / guid etc, use a test
certificate with a similar company name and then overwrite the app
and the user would be none the wiser...
Unless I've missed the point somewhere along the lines of course.

I'm surprised, I have seen exactly the opposite, any change in certificate being considered completely invalid. Did the user run the update from a shortcut on their machine, or go to the web site again? You may have simply installed a new program on their machine, not updated the old one.

Steve, you're right, it used to force the user to deinstall and reinstall the application in order for the deployment to change the certificate. They have fixed this with VS2008 if you are running .Net 2.0 SP-1 or .Net 3.5. (Great news, I think.)

It is still doing the checking of the signed manifests. The certificate basically assures the user that the source of the application is a known and valid source, rather than an "unknown publisher". It doesn't verify that the application deployment is uncorrupted; that is handled by the digitally-signed manifest files.

RobinS.
GoldMail.com

.

---

• References:
  • ClickOnce Security Risk
    • From: NickP
  • Re: ClickOnce Security Risk
    • From: Steve Gerrard

• Prev by Date: Re: Getting image info using picturebox
• Next by Date: Re: Abort/Dump in ClickOnce app before my code runs
• Previous by thread: Re: ClickOnce Security Risk
• Next by thread: Untold(...) variable scope in ASP.NET
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: More problems with ISA 2000+SBS2k3 ... You should not use the certificate with 'publishing' when running CEICW. ... But now I cannot see OWA or RWW from outside! ... (microsoft.public.windows.server.sbs) Circular fix for listener using private certificate ... The certificate used by the server published by the SBS Windows SharePoint ... Services Web Publishing Rule Web publishing rule does not match the name ... The GoDaddy cert uses a friendlyname of MyDomain and has ... (microsoft.public.isa) RE: SBS2003 and OWA ... 3.Are you publishing only OWA? ... If you are using ISA, ... Server Publishing is simply port forwarding ... IIS) authenticates the User, the website certificate is ... (microsoft.public.windows.server.sbs) Re: Trouble installing SSL ... External name of the site you are publishing. ... certificate should have mail.domain.com in the subject name. ... You may have to put a host file on your ISA server with the entry ... Follow the wizard prompts to complete the installation procedure. ... (microsoft.public.isa) Re: Trouble installing SSL -- 2nd post ... External name of the site you are publishing. ... certificate should have mail.domain.com in the subject name. ... You may have to put a host file on your ISA server with the entry ... Follow the wizard prompts to complete the installation procedure. ... (microsoft.public.isa)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.languages.vb  > 2008-03