> Are there any public examples of applications deployed by ClickOnce on the web?
>  (preferably ones that have the deployoment manifest Authenticode-signed).
>
> Before deploying a few of my .NET 2 apps that way, I want to see what the
> GUI user experience looks like.
>
> Also, for elevated permissions which causes the end-user to be prompted
> to allow/deny (similar to Signed Java applet ..), does the user get a chance
> to decide to "remember and trust this publisher" ??  if the deployment manifest
> is Authenticode signed??
>
> - Mitch Gallant
>   MVP Security
>
>

> Good luck in finding them.
>
> I have asked this before and received no answer (I even sent it to
> some Microsoft contacts who initially told me they come back with an
> answer, and then never replied (probably because they didn't found any
> significant example)
>
> My question was a bit more specific than yours, I was after ClickOnce
> applications that where executed in a 'secure' Partial Trust
> environment (so ClickOnce apps which need the UnmanagedCodePermission
> don't count).
>
> Note: I wanted this list to show the students of the Asp.Net Security
> classes that I teach real live examples of my main message to them
> "Write applications that can be executed in secure partial trusted
> .Net environments"
>
> Dinis Cruz
> Owasp .Net Project
> www.owasp.net
> Mitch Gallant wrote:
>
>> Are there any public examples of applications deployed by ClickOnce
>> on the web? (preferably ones that have the deployoment manifest
>> Authenticode-signed).
>>
>> Before deploying a few of my .NET 2 apps that way, I want to see what
>> the GUI user experience looks like.
>>
>> Also, for elevated permissions which causes the end-user to be
>> prompted
>> to allow/deny (similar to Signed Java applet ..), does the user get a
>> chance
>> to decide to "remember and trust this publisher" ??  if the
>> deployment manifest
>> is Authenticode signed??
>> - Mitch Gallant
>> MVP Security

> well - i have some on my server in the /ClickOnce directory (you know
> the rest of the URL)
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Good luck in finding them.
>>
>> I have asked this before and received no answer (I even sent it to
>> some Microsoft contacts who initially told me they come back with an
>> answer, and then never replied (probably because they didn't found any
>> significant example)
>>
>> My question was a bit more specific than yours, I was after ClickOnce
>> applications that where executed in a 'secure' Partial Trust
>> environment (so ClickOnce apps which need the UnmanagedCodePermission
>> don't count).
>>
>> Note: I wanted this list to show the students of the Asp.Net Security
>> classes that I teach real live examples of my main message to them
>> "Write applications that can be executed in secure partial trusted
>> .Net environments"
>>
>> Dinis Cruz
>> Owasp .Net Project
>> www.owasp.net
>> Mitch Gallant wrote:
>>
>>> Are there any public examples of applications deployed by ClickOnce
>>> on the web? (preferably ones that have the deployoment manifest
>>> Authenticode-signed).
>>>
>>> Before deploying a few of my .NET 2 apps that way, I want to see what
>>> the GUI user experience looks like.
>>>
>>> Also, for elevated permissions which causes the end-user to be
>>> prompted
>>> to allow/deny (similar to Signed Java applet ..), does the user get a
>>> chance
>>> to decide to "remember and trust this publisher" ??  if the
>>> deployment manifest
>>> is Authenticode signed??
>>> - Mitch Gallant
>>> MVP Security
>
>

> yes, but are these real world applications that perform an action that
> users are willing to pay for?
>
> or are these Proof-of-Concept examples?
>
> Question: I had a quick look and only saw the executables (namely the
> multiple setup.exe), are you also publishing the source code of these
> examples?
>
> Dinis
>
> Dominick Baier [DevelopMentor] wrote:
>
>> well - i have some on my server in the /ClickOnce directory (you know
>> the rest of the URL)
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Good luck in finding them.
>>>
>>> I have asked this before and received no answer (I even sent it to
>>> some Microsoft contacts who initially told me they come back with an
>>> answer, and then never replied (probably because they didn't found
>>> any significant example)
>>>
>>> My question was a bit more specific than yours, I was after
>>> ClickOnce applications that where executed in a 'secure' Partial
>>> Trust environment (so ClickOnce apps which need the
>>> UnmanagedCodePermission don't count).
>>>
>>> Note: I wanted this list to show the students of the Asp.Net
>>> Security classes that I teach real live examples of my main message
>>> to them "Write applications that can be executed in secure partial
>>> trusted .Net environments"
>>>
>>> Dinis Cruz
>>> Owasp .Net Project
>>> www.owasp.net
>>> Mitch Gallant wrote:
>>>> Are there any public examples of applications deployed by ClickOnce
>>>> on the web? (preferably ones that have the deployoment manifest
>>>> Authenticode-signed).
>>>>
>>>> Before deploying a few of my .NET 2 apps that way, I want to see
>>>> what the GUI user experience looks like.
>>>>
>>>> Also, for elevated permissions which causes the end-user to be
>>>> prompted
>>>> to allow/deny (similar to Signed Java applet ..), does the user get
>>>> a
>>>> chance
>>>> to decide to "remember and trust this publisher" ??  if the
>>>> deployment manifest
>>>> is Authenticode signed??
>>>> - Mitch Gallant
>>>> MVP Security

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message
news:4580be631992948c823a477cc54ac@news.microsoft.com...
> these are of course proof-of-concept apps
>
> read more here:
>
> http://www.leastprivilege.com/BewareBeAwareOfClickOnceDefaultSettings.aspx
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> yes, but are these real world applications that perform an action that
>> users are willing to pay for?
>>
>> or are these Proof-of-Concept examples?
>>
>> Question: I had a quick look and only saw the executables (namely the
>> multiple setup.exe), are you also publishing the source code of these
>> examples?
>>
>> Dinis
>>
>> Dominick Baier [DevelopMentor] wrote:
>>
>>> well - i have some on my server in the /ClickOnce directory (you know
>>> the rest of the URL)
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> Good luck in finding them.
>>>>
>>>> I have asked this before and received no answer (I even sent it to
>>>> some Microsoft contacts who initially told me they come back with an
>>>> answer, and then never replied (probably because they didn't found
>>>> any significant example)
>>>>
>>>> My question was a bit more specific than yours, I was after
>>>> ClickOnce applications that where executed in a 'secure' Partial
>>>> Trust environment (so ClickOnce apps which need the
>>>> UnmanagedCodePermission don't count).
>>>>
>>>> Note: I wanted this list to show the students of the Asp.Net
>>>> Security classes that I teach real live examples of my main message
>>>> to them "Write applications that can be executed in secure partial
>>>> trusted .Net environments"
>>>>
>>>> Dinis Cruz
>>>> Owasp .Net Project
>>>> www.owasp.net
>>>> Mitch Gallant wrote:
>>>>> Are there any public examples of applications deployed by ClickOnce
>>>>> on the web? (preferably ones that have the deployoment manifest
>>>>> Authenticode-signed).
>>>>>
>>>>> Before deploying a few of my .NET 2 apps that way, I want to see
>>>>> what the GUI user experience looks like.
>>>>>
>>>>> Also, for elevated permissions which causes the end-user to be
>>>>> prompted
>>>>> to allow/deny (similar to Signed Java applet ..), does the user get
>>>>> a
>>>>> chance
>>>>> to decide to "remember and trust this publisher" ??  if the
>>>>> deployment manifest
>>>>> is Authenticode signed??
>>>>> - Mitch Gallant
>>>>> MVP Security
>
>

"Mitch Gallant" <jensigner@community.nospam> wrote in message news:ePHo5cZVGHA.5172@TK2MSFTNGP12.phx.gbl...
> Hi Dominick,
> OK .. I've been around the block a few times on this type of discussion ..
> and coming from a Java and signed Java applet background (both within a large
> enterprise and "solo") a lot of the issues are identical, and I have some
> practical experience in this area with many average and savy users.
>
> First off ... prompting the end-user with too any dialogs or too much info
> is a definite no-no. Besides, most end-users, even savy ones but with little
> experience on  trust elevation, NEVER really understand what those dialogs mean.
>
> I was not aware of that default 2.0 RTM behaviour where elevation is
> possible from Internet zone in ClickOnce without a valid digital signature,
> i.e. one issued by a CA known by the local ROOT cert store and within
> the validity time period of the cert, if the signature wasn't time-stamped.
>
> Most people (save us security-informed types) just don't know what a digital
> signature is and just don't have a clue if they should be hoodwinked into
> trusting it ..  etc..   If the carrot is big enough, or the dialog is convincing,
> many will take the bait (not us of course  :-)
>
> I personally think that ClickOnce for Internet SHOULD have the same
> elevation capability but with ONLY trusted code-signing signature (unlike
> your recommendation .. i think same should apply for the Internet zone).
> This is better than the current RTM 2 situation, but not as aggressive as
> your recommendation.
> This kind of levels the playing field with Java's RSA signed Java applets
> getting FULL or NONE permissions if properly digitally signed. Java2 applets
> that are NOT properly digitally signed are given NO capability to elevate
> permissions (unless .. as in CAS the local security policy allows trust based on
> Identity principals)  .. very similar to .NET CAS implementation in some ways.
>
> People already trust digitally signed Java applets with signatures (so that is proof
> of concept that people do trust that technology) ..  I used signed Java applets
> extensively on a corporate intranet for many useful things. The main benefit
> was transparency to end users .. of course in the (somewhat more) trusted
> Intranet environment .. even in the wake of BubbleBoy etc..   like using
> Signed Java applets to scan for shared-writeable network file shares  :-)
>
> btw I had a look at your first proof-of-concept above .. (unsigned).
> MS's implementation is WAY too complicated info for end user.
> The more-information link showing the "Machine Access" info is totally
> incomprehensible to an average user ..  I have seen enough "hood-winks"
> in simple text saying "if there is a problem with recognizing the cert .. just go ahead
> and accept it!!!!"  (not from you though  ;-)
>
> I agree with you that Intranet ClickOnce elevation should ALWAYS be based on
> valid digital signature.  If it fails for ANY reason .. just don't offer ANY option
> to start it.
> For the *Internet zone. I think same should apply (unlike your "lock 'em down" view).
> But I think the security dialog has to be greatly simplified for end users who would
> squarely have the trust-decision if digital-signature enabled Internet ClickOnce were to
> be the norm. Only allowing Internet digitally signed ClickOnce apps at least raises the
> bar a bit .. I personally believe that this shoudl ONLY be allowed if the issuer is trusted ..
> which is fairly thin .. but does mean that a hacker who signs .. must manage to have the
> end user install his (say self-signed cert) to the trusted ROOT store.
> I don't think the user should be allowed (via my wish-trusted signature dialog) the option
> to trust such a self-signed cert. etc.. etc..
>
> Cheers,
> - Mitch Gallant
>    MVP Security
>
> "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message
> news:4580be631992948c823a477cc54ac@news.microsoft.com...
>> these are of course proof-of-concept apps
>>
>> read more here:
>>
>> http://www.leastprivilege.com/BewareBeAwareOfClickOnceDefaultSettings.aspx
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>
>>> yes, but are these real world applications that perform an action that
>>> users are willing to pay for?
>>>
>>> or are these Proof-of-Concept examples?
>>>
>>> Question: I had a quick look and only saw the executables (namely the
>>> multiple setup.exe), are you also publishing the source code of these
>>> examples?
>>>
>>> Dinis
>>>
>>> Dominick Baier [DevelopMentor] wrote:
>>>
>>>> well - i have some on my server in the /ClickOnce directory (you know
>>>> the rest of the URL)
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> Good luck in finding them.
>>>>>
>>>>> I have asked this before and received no answer (I even sent it to
>>>>> some Microsoft contacts who initially told me they come back with an
>>>>> answer, and then never replied (probably because they didn't found
>>>>> any significant example)
>>>>>
>>>>> My question was a bit more specific than yours, I was after
>>>>> ClickOnce applications that where executed in a 'secure' Partial
>>>>> Trust environment (so ClickOnce apps which need the
>>>>> UnmanagedCodePermission don't count).
>>>>>
>>>>> Note: I wanted this list to show the students of the Asp.Net
>>>>> Security classes that I teach real live examples of my main message
>>>>> to them "Write applications that can be executed in secure partial
>>>>> trusted .Net environments"
>>>>>
>>>>> Dinis Cruz
>>>>> Owasp .Net Project
>>>>> www.owasp.net
>>>>> Mitch Gallant wrote:
>>>>>> Are there any public examples of applications deployed by ClickOnce
>>>>>> on the web? (preferably ones that have the deployoment manifest
>>>>>> Authenticode-signed).
>>>>>>
>>>>>> Before deploying a few of my .NET 2 apps that way, I want to see
>>>>>> what the GUI user experience looks like.
>>>>>>
>>>>>> Also, for elevated permissions which causes the end-user to be
>>>>>> prompted
>>>>>> to allow/deny (similar to Signed Java applet ..), does the user get
>>>>>> a
>>>>>> chance
>>>>>> to decide to "remember and trust this publisher" ??  if the
>>>>>> deployment manifest
>>>>>> is Authenticode signed??
>>>>>> - Mitch Gallant
>>>>>> MVP Security
>>
>>
>
>