Help! My Business Requirement: Security Vulnerability Needed

  • Article

Ahh... such an innocuous requirement - "I want to allow my User to easily click on a link and directly install Software from a Web Page - without all the confusing IE security hoopla popping up and possibly failing to allow Installation if your Software is not signed. After all, my User trusts me."

Requests like this happen all the time in all sorts of contexts (Intranet deployment of applications, Extranet deployment of applications, etc), and even though it sounds like a good "feature", the only proper answer to it is: "NO, your business requirement is a security vulnerability, so bzzzzzzt, Access Denied."

Question:

Hi All,

How ca I write a asp page that will handle web based Install? Is it possible or I need to go for some 3rd party Software for this, If Yes what is the Best to use with ASP?

My requirement is: I have one Software that I wanted to install in Customer PC directly from Webpage instead of allowing the user to download the Software and Install.

I have no idea about this concept. Please guide.

Thanks

Answer:

Assuming that you and your users care about Security, I suggest that you abandon your "Requirement" because it amounts to a Security Vulnerability. How so?

Well, assuming you get what you want - that you have one-click web-based Install from an ASP page, either with a 3rd party plugin or not - what would stop Hackers from using the same mechanism to automatically install Malware onto the same User's machine? In other words, given an arbitrary URL to allow one-click web-based Install, how can the browser distinguish between your website and a hacker's website?

Remember, I presume that since you do not event want users to download/install applications in two steps, you also do not want users to have to first manually identify your website as belonging to different security zone - you want it all to happen automatically with one-click, given default security configuration.

Hmm, so let's further assume that if the web page contained a directive to the Browser to automatically trust the website, then you can get one-click web-based Installation and automatic identification of a trusted website. Sounds like a good idea, no?

Unfortunately, the flaw with that assumption is WHY should the Browser decide to TRUST the website based on what the website tells it? If a stranger came up to you and said "trust me, I am a good guy", would you automatically trust the stranger? Oh, you do? Well, let me tell you about this fantastic penny stock here that will make you rich... just hand me your money and I will do the rest... ;-)

Anyways... since it is insecure to allow by default the one-click web-based Install for any website, and it is impossible to automatically distinguish between a "trusted" and "untrusted" website to make this work securely, what you assumed - that you have one-click web-based Install from an ASP page - is impossible. Remember, I assume you and your users care about security.

Besides, even if one-click web-based Install was possible and secure, your "Requirement" still assumes that the End User runs as Administrator... and given the security ramifications of that configuration and how Windows Vista will make all users run as non-Administrators by default, your "Requirement" does not make business sense.

//David