Help! My Business Requirement: Security Vulnerability Needed


Ahh… such an innocuous requirement – “I want to allow my User to easily click on a link and directly install Software from a Web Page – without all the confusing IE security hoopla popping up and possibly failing to allow Installation if your Software is not signed. After all, my User trusts me.”


Requests like this happen all the time in all sorts of contexts (Intranet deployment of applications, Extranet deployment of applications, etc), and even though it sounds like a good “feature”, the only proper answer to it is: “NO, your business requirement is a security vulnerability, so bzzzzzzt, Access Denied.”


Question:


Hi All,


How ca I write a asp page that will handle web based Install? Is it possible or I need to go for some 3rd party Software for this, If Yes what is the Best to use with ASP?


My requirement is: I have one Software that I wanted to install in Customer PC directly from Webpage instead of allowing the user to download the Software and Install.


I have no idea about this concept. Please guide.


Thanks


Answer:


Assuming that you and your users care about Security, I suggest that you abandon your “Requirement” because it amounts to a Security Vulnerability. How so?


Well, assuming you get what you want – that you have one-click web-based Install from an ASP page, either with a 3rd party plugin or not – what would stop Hackers from using the same mechanism to automatically install Malware onto the same User’s machine? In other words, given an arbitrary URL to allow one-click web-based Install, how can the browser distinguish between your website and a hacker’s website?


Remember, I presume that since you do not event want users to download/install applications in two steps, you also do not want users to have to first manually identify your website as belonging to different security zone – you want it all to happen automatically with one-click, given default security configuration.


Hmm, so let’s further assume that if the web page contained a directive to the Browser to automatically trust the website, then you can get one-click web-based Installation and automatic identification of a trusted website. Sounds like a good idea, no?


Unfortunately, the flaw with that assumption is WHY should the Browser decide to TRUST the website based on what the website tells it? If a stranger came up to you and said “trust me, I am a good guy”, would you automatically trust the stranger? Oh, you do? Well, let me tell you about this fantastic penny stock here that will make you rich… just hand me your money and I will do the rest… 😉


Anyways… since it is insecure to allow by default the one-click web-based Install for any website, and it is impossible to automatically distinguish between a “trusted” and “untrusted” website to make this work securely, what you assumed – that you have one-click web-based Install from an ASP page – is impossible. Remember, I assume you and your users care about security.


Besides, even if one-click web-based Install was possible and secure, your “Requirement” still assumes that the End User runs as Administrator… and given the security ramifications of that configuration and how Windows Vista will make all users run as non-Administrators by default, your “Requirement” does not make business sense.


//David

Comments (4)

  1. Jeroen Frijters says:

    Ehm David, you may want to look into something called "ClickOnce" deployment. It allows single click installation of .NET apps (even if you’re not an admin). These apps run in a sandbox and are perfectly safe.

  2. David.Wang says:

    Jeroen – I agree, "Managed" applications like .Net and Java can work like that because they have built-in security controls like a Sandbox and CAS.

    Likewise, I suggest you need to be careful with your phrasing because your comment ONLY applies to managed code applications and requires the right framework version to already be installed (that installation does need Administrator privileges), amongst other administrator-only details.  In other words, the installation of ClickOnce is really a meta-install, not a real "Install".

    My main point stands around security of a real "Install" – most people do not understand the security ramifications of what they want – and it continues to apply all the time.

    This is why I did NOT focus on talking about what is possible (ClickOnce) for a small percentage of time and focus on what is NOT happening (Security) most of the time.

    //David

  3. Prabhat says:

    Thanks for your gud information and explanation. But if not in ONE Click can do that in 2 steps? (I think Yahoo Messanger download works in 2 steps)

  4. Robert Moir says:

    My take is not to count clicks, but think of the actions that have to take place from the point of view of the end user and their computer.

    With these written down it should be easy to think about what steps can reasonably be automated for a given situation (e.g. intranet user looking at a trusted internal server) and that will probably also start to expose what you need to do to achieve it.