RE: Adobe AIR + .NET Command Proxy Security concerns.


NOTE: Brand Politics mostly (Adobe are offended). If it’s not your cup of tea, move on 😉

Yesterdays post has sparked an initial debate on my approach to the AIR + Command Proxy and how we believe it has security concerns associated to it.

The original post can be found here (great time to read the post, comments and come back to this spot in time).

http://blogs.msdn.com/msmossyblog/archive/2008/01/21/adobe-air-net-proxy-concerns-arise.aspx#7191774

Note: This is a response to the comments in order of weight in terms of (did they have a point).

Rather than bury this deep within the comments of such post, I thought I’d bring it more out to the open as I think these are some great data points all AIR adoptee’s (or likely to adopt) readers of this blog should be weary of. It’s in no way an attempt to discourage you from AIR adoption, that’s something we at Microsoft entrust you’ll decide based on merit and that alone (no upside in such a weak campaign).

Note: 4 immediate responses from Adobe only? 3 of which have nothing to do with the actual technology but more defending each other or for that matter echoing points I’ve already made in my original post.

Let’s keep the conversation focused gentleman and a little less wolf-pack responses.

To: Ryan Stewart @ Adobe asks:

Q. I don’t really see where you’ve given a reason why this is a bad approach?

I should have expanded on this in more depth Ryan, I apologize for that (I assumed all were on the same page. As It seemed obvious to me and other peers I respect)

The communication channel between the command proxy and AIR application looks like a potential vulnerability. One of the things application developers should worry about with security is insecure cross-process communication mechanisms hanging around on someone’s machine. For example if a process listens on a named pipe, and that named pipe has no ACLs and no validation of inbound communication, the process is vulnerable to all kinds of attacks when garbage is sent down the pipe. In the example on using the command proxy how do you secure it so that it doesn’t turn into a general purpose process launcher?

The question I have floating around is “what is being solved here”?

AIR to me is simply a hint in empowering a specific target audience (flex/javascript) to extend such skills beyond the browser sandbox. In allowing this, AIR will of course have certain levels of access beyond a browser in terms of security, which isn’t a problem per say as some solutions may require this. The notion however to break out of the limitations imposed by AIR by leaving an open proxy running on the users machine is definitely not the way to solve the imposed limitations.

I’ve run this past a few internal and external minds to simply ensure I have a sanity check on this and they’ve all raised similar concerns. I simply assumed that this would be a logical conclusion, open ended proxies that can run Photoshop today can do interesting things tomorrow.

Spyware has a habit for example of being really good at telling you it’s not spyware, as why else would any sane person install it.

to: Matt Voerman @ Adobe.

If I was quick to judge, I apologise – just from personal experience, I’ve always found you quick to focus on me personally and not so much the topic. Yet, looking at your post from an outsiders perspective I can see how others may differ in my opinion (personality clash maybe based on local interaction).

Ok, so I found you had approx 1 point in your entire rant. The rest I already covered – IN THE ORIGINAL POST. I’d say practice what you preach hehehe.

The point: “…Two of the most requested features…”

Yet these features go ignored or have lack of commitment. The counter response to these two “requested” features is to create an insecure proxy that kind of taints the waters for all involved (which I’ll get into shortly). If your folks spent less time trying to defend one another and AIR and focus in on why this is being discussed, you’d realize it’s not about discrediting AIR or attacking Mike. It’s about ensuring that a solution of this magnitude is one that we at Microsoft are concerned about. As assume it goes pair shape, and Windows Vista based AIR solutions become tainted both our brands suffer.

To state “we don’t support this – signed Adobe” is like effectively saying “I gave birth to an idea, turned the idea into a solution and I want you – as an Adobe employee – to adopt it but at the same time I won’t support you in doing so”… take responsibility for it at the very least. As to state Adobe won’t support it underpins the notion it has flaws and is probably an immature solution.

to: JD @ Adobe.

Since we are on the topic of establishing an understanding of what our past, present and future.

Can I ask what is you do for Adobe?

You aren’t clear in that regard and to be openly honest you appear to be an “industry analyst” but with an Adobe bias? Are you a professional blogger for Adobe and do you have anything to contribute to the conversation other than what Matt may or may not have said?

That all being stated, I hadn’t really looked at my profile from that perspective and will amend if folks feel it’s misleading. (I’m surprised people actually read it. I didn’t think anything of it as the other day Mike Chambers noted I spelled "were" wrong (so either Mike didn’t notice it himself or simply didn’t care?)

Interesting though my profile is being a point of focus though, I mean again what does this have to do with the topic? What was that you were saying about the definition of ad hominem J .. waters get murky fast don’t they.

to: Mike Chambers @ Adobe.

I’m at a loss as to why you of all people aren’t seeing the objective here since you are the one writing it. It’s not about AIR vs. Microsoft, it’s simply a case of “…ok we are nervous because you’re effectively endorsing an insecure solution via Adobe platform without thinking through the long term effects associated with doing so..”. It’s concerning and support or not it or not, it’s almost irresponsible.

Summary

Folks, this is not about competing and it’s something I cannot stress enough. This is about ensuring that as a large brand you take responsibility for your platform and how you endorse it, specifically when it comes to our operating system. It’s in your best interest to consult us on these matters, as we are the ones whom know our own platform the best and to simply brush us aside as a competitor and do not tell is borderline irresponsible.

Let’s assume the worst happens. Let’s assume the proxy opens Pandora ’s Box. Adobe loses a lot of credibility in the desktop space by providing consumers (e.g. say eBay Desktop app uses this concept for whatever reason) essentially an endorsed vulnerability. This in turn creates havoc (insert FUD rant here) and whilst people may lose faith in your brand, in the end it also falls in our lap as well. As the perception is “Windows Vista should have protected me”.

That is my underlying point. Protection. Simply saying “We don’t support it” isn’t fair as Mike has a lot of respect within the AIR community and this respect carries weight. It’s kind like assigning 99% guarantee to an item – at the end of the day most know 99% guarantee is essentially a 100% guarantee but leaving 1% on the table in the event something goes wrong.

Kind of like Adobe essentially guarantee’s 95% of the worlds computers have Flash…

Comments (15)

  1. Scott,

    Are you suggesting that because I work for Adobe, I cannot explorer potential code paths and patterns?

    The code / example is not an Adobe project (which I make clear in my original post). It is some code a put together to see whether I could get a local command proxy to work. I could, and I shared that knowledge with others.

    It is a good way to build apps? No, I don’t think so. It is a hassle for developers, and requires them to do a lot more work to package the app.

    Does it have security issues? Probably. Off the top of my head, right now the socket connection from AIR to the proxy is not encrypted. It should be either via encrypted sockets or ssl. However, that is one of the reasons I (or I imagine others), post "proof of concept" code. To share knowledge and spur conversation.

    Again, this is not an Adobe project. It is a Mike Chambers played with some code and shared it project. That is why it is on my weblog, and not on labs. It is also why there is little to no documentation, and no binaries provided. (in general, I pretty much share ALL of the code I write).

    To be honest, I didn’t have a problem with you posting about potential security issue with it (I posted the original project to spur discussion). However, instead of discussing the code and why it might not be a good idea, your original post goes off on a tangent and concludes that the eBay app hasnt been received well (it has), and there is no reason for AIR apps except offline.

    Now, I realize that it is convenient for you and Microsoft to claim that this is some big Adobe project, and you are flabbergasted that Adobe would endorse and support such as thing. Except of course, this is not an Adobe project (as made clear in the original post), and is not endorsed or supported by Adobe. Again, it is some proof of concept code which I shared.

    Regardless, I expect you to try and spin this as you normally do. I think that is a real shame as I think that this is a discussion that could have easily gone in the direction of "this is interesting, but is there a better way we can integrate these technologies?".

    mike chambers

    mesh@dobe.com

  2. Alan Lewis says:

    I already responded to your other post, but because you once again dragged my application and employer into the discussion I feel compelled to respond again.

    On the topic of "security," I think that you really sell application developers short. A competent developer would not trust an unproven architecture of anything just because of the company it came from. We are in the process of doing a round of in-depth security reviews for eBay Desktop, and although AIR is relatively new, it does have advantages over an OS on security. Without getting into debating architectures, I’ll instead focus on a few higher level ones:

    1. The codebase of AIR itself is much smaller and less complicated than an operating system. It offers fewer features too. And that’s great! Less to cover when we are looking to make sure that all of the potential areas a threat might originate from are covered.

    2. Adobe has been much more open with their platform technology than the two leading OS vendors have. True – not all of their technology is open, and I have blogged about this and encouraged them to open up Flash Player in particular. (see, I can bash other companies besides Microsoft!). But I get the feeling with Adobe that if we wanted to get access to that source code for our security reviews, it wouldn’t be out of the question, and they are certainly moving in the right direction with regards to open source.

    You guys simply don’t have a lot of credibility when it comes to security, and your attitude that comes across in this blog so far doesn’t help change that. The stance of "trust our architects that this is a bad idea" isn’t good enough. You need to participate in exploring ideas with developers instead of bashing new ideas with your blogging club.

    Oh, and you simply cannot claim that "this is not about competing." You are a Silverlight evangelist! Silverlight is the main competitor to Flash! Blogging for big companies 101 is that even if you say there is no bias, there probably is, and people will certainly assume that there is, therefore, there are simply things that you don’t blog about unless you are trying to rile things up.

    Alan Lewis

    Product Manager, eBay Desktop

  3. Abdul Qbaiz says:

    Scott,

    I can imagine what are you trying to point out. Since I am neither in MS or Adobe, I take your concerns positively.

    I understand, you probably know more about .Net than any of the guys commented on your previous blog.

    Thanks for posting the concerns, it surely helps developers to think before using it. I am sure, your concerns would allow development of better/secure alternatives to communicate with OS.

    -abdul

  4. vikram says:

    interesting read. and truly speaking I am in ur favour. adobe should think before doing what it is thinking of doing

  5. It may be worth noting, that WebORB.NET Edition will work with AIR in a similar manner to the way that CommandProxy works.  It installs a service that listens to requests over some port.  

    As a solution it is more polished than CommandProxy, but I’m unsure how they are dealing with the security implications of something like this

    If I install iTunes on my Windows PC, it creates two services; so there is a precedent for this behavior.  I’m not sure what the iTunes services do (I disabled both of them).  Do these open up similar vulnerabilities?  

  6. After filtering through the side-conflicts, there’s one issue here clearly worth discussion.    How is the incoming communication to the proxy (from the client) secured?  Without a secure channel there, the command proxy becomes an "open command proxy" and that’s bad.

    Mike’s original post secures the channel at launch time, by having  the proxy pass its socket port and a "communication key" to the client.  My assumption is that the client will have to pass this key back with every request, and the proxy will validate the key with every request.

    Doesn’t that address the main concern around the cross-process communication, Scott?

    I think the community can add features to products like .NET and AIR without compromising security.  We just need to have this conversation.

    -Ethan

  7. John Dowdell says:

    <em>"What is you do for Adobe?"</em>

    I come out of tech support. I started on the phones, and branched into forums, newsgroups, mailing lists and weblogs as they came around. The main task is to satisfy customer issues with the company — point people to resources, etc. The corollary to that is to escalate issues within the company as necessary. This evolved into clipping and summarizing online conversational trends for distribution within the company.

    Title? I’ve never found a good one. "Support Technician" no longer seems to quite describe it… I wanted to go with "Blogalyst" or even "Cheerleader", but they lack a certain corporate gravitas… the pigeonhole I’m in now is "Product Manager", but that’s a very broad and common pigeonhole these days.

    Ask Stephen Elop, I used to report at one remove to him, he knows all about it…. 😉

    (For Command Proxy itself, I wasn’t clear on the mechanism… didn’t know whether it went through the normal web-communication sandboxes, or whether it was more like persuading the audience to install a second desktop app, which could accept and process wider messages from AIR apps. Anytime you’re installing native-code onto your desktop there are security issues to consider.)

    jd/adobe

  8. Garry Trinder says:

    Hi All,

    Can I just say – wow? Lot’s of mixed reactions here and clearly this is a discussion worth having. Only I hope “we don’t kick over the beehive to get to the honey”.

    I haven’t read a lot of the comments; I can tell there is an element of emotion involved and personas all having their say (positive/negative). I think I’d prefer to focus on Mike’s comment only as at the end of the day this is what it’s really all about and he seems to be logical person to have the dialogue with. I’m not dismissing everyone’s comments as irrelevant; please don’t take it as that it’s more getting back on topic and less rat holes?

    That and at the end of the day, this is his creation we are talking about and he deserves the floor so to speak.

    Mike Says:

    “..Are you suggesting that because I work for Adobe, I cannot explorer potential code paths and patterns?..”

    Partially yes, in that my only point in implying that as once you associate your profile – which you’ve built via channels that Adobe/Macromedia have provided – to a project, it in return will be considered something to use (especially given there is no caution about security etc associated to it). You’re essentially looking down the barrel of religion vs. state argument as to ask a customer to separate the two is effectively harder then it first appears.

    Eg: What if I built a “proof of concept” that enabled Silverlight to be embedded within AIR that left AIR open to exploitation in the process. Could I hide behind the POC card? What buzz would that generate and lastly but most importantly would Adobe’s position on it be?

    Furthermore, if this was just you scribbling around in code, it would be fine and you’ve done it in the past many times with Central etc back in the day (positive). The difference in this case is simply the buzz factor, in that with your profile you attract eyeballs by doing so in an Adobe marketing channel. These eyeballs will no doubt (so they should) assume you know a thing or two about AIR and given that .NET connectivity is a hot requested item in AIR (thus your probable reason for its creation) you’ve essentially feed the notion that this is a possible solution and everyone whom is using AIR but wants .NET integration, use this as a starting point.

    Given my role at Microsoft and understanding of Adobe AIR, my immediate concern was in place from the start. Yet for me to come out and say this straight away would have had negative impact on your project (clearly these posts underpin that), so I decided to let it sit for a while as surely someone else from the community will ask the question and well, it all takes a natural course from there.

    Sadly, it never happened and instead I started seeing remarks about AIR + .NET begin to occur both online and offline. This is the point in time which injected my concerns, proof of concept or not. As you surely would know, that both our brands have a degree of misconception out there in that I at times face customers whom ask questions like “Doesn’t Flex have a database built into it?”.

    This is more about perception change, in that ensuring your proof of concept, whilst very interesting and exciting needs to be positioned in a manner that underlines the security concerns associated to it. The downside of my approach is simply that because I’m Microsoft and sometimes seem to be the only one online that at times pushes back on Adobe’s messaging, it then becomes a heated debate – 4 Adobe staffers back to back responding with negative counter-arguments, 3 of which don’t address the actual concern. Ryan was the only one that had a question.

    I simply find at times when I observe customers in and around the various communities that speak out about

    Adobe simply get shouted down. I’ve noticed this dating back to early Macromedia days and because of such, I simply adjust my wording to try and control the conversation so that we simply stay on topic. At times it can feel like “kicking over the beehive to get honey” but it’s a posture taken the sadly, gets results. It also then ensures a response is formulated by Adobe and the air is cleared. I dislike doing it to be honest as do you think I enjoy seeing personal attacks on my blog from those whom are loyal to Adobe? (Ever notice a trend that once you folsk denounce a blog post outside of MXNA that these folks get shouted down? Does that not concern you? )

    I’m happy to change and have a more neutral grounded conversation with Adobe on RIA in general, but until we can work on a communication methodology that doesn’t end up in character assassinations, this sadly is the approach I’ll be forced to take (e.g. jd’s contribution constantly baffles me, but now I have clarity on his role, I can see why – that’s not an attack, but I have new awareness of his value proposition to future conversations – cheer leader).

    Mike Says:

    “..The code / example is not an Adobe project (which I make clear in my original post). It is some code a put together to see whether I could get a local command proxy to work. I could, and I shared that knowledge with others…”

    Did I not say this in my original post; I also clearly stated it was a “Proof of Concept”. I’m not sure how to respond? – I agree? Great project but be careful….

    Mike says:

    “…To be honest, I didn’t have a problem with you posting about potential security issue with it (I posted the original project to spur discussion). However, instead of discussing the code and why it might not be a good idea, your original post goes off on a tangent and concludes that the eBay app hasnt been received well (it has), and there is no reason for AIR apps except offline…”

    That’s not the body of your response or 3 other of your fellow employees. If it had of been you would of stated the above or similar to “..Scott, great conversation about security, let’s take this offline/online and explore further. I do however protest your argument around AIR + eBay I think it wasn’t called for and would prefer you not …” etc.

    I state this as if we are going to travel down that rat whole, let’s keep it in context and little less of shifting the agenda away or playing the “victim”.

    Clarity on eBay  – The reason I cited eBay AIR solution as whilst it had some launch success there is no apparent evidence (not that I was able to find) that it has been well received other than Alan & your remarks. It lacks supporting evidence to counteract my remarks and I’m hopeful there will be more of this at a later date. In order for eBay to state it’s been well received, AIR in return would be considered “well received” and given there is no messaging around this, one can simply conclude it’s still just a beta project and thus hasn’t been fully “received”. Adobe has yet to establish reasons why for AIR applications should exist, offline aside. As there again, is no real reason for them – maybe the x-platform card can be played but that’s a fairly weak campaign to position.

    Note: I’ve stated this pre-Microsoft, so whilst some may assume this is a Microsoft FUD campaign around AIR, it’s not, I stated my position around AIR/Apollo from the start BEFORE joining Microsoft and my old blog – mossyblog.com will back this (see archive.org for resurrecting it, sorry I closed my hosting account as it was costing money and this blog is a sufficient outlet)

    Mike Says:

    “..Now, I realize that it is convenient for you and Microsoft to claim that this is some big Adobe project, and you are flabbergasted that Adobe would endorse and support such as thing. Except of course, this is not an Adobe project (as made clear in the original post), and is not endorsed or supported by Adobe. Again, it is some proof of concept code which I shared…”

    Again you’re focused on character assassination and a little less on the merits of the conversation. This isn’t a Microsoft is against Adobe agenda, this is Microsoft is against the idea that a high profile Adobe employee is telling his/her audience that subscribes to his blog based around his position in Adobe that the possibility of connecting AIR to an open ended proxy is a good idea. The difference between a proof of concept and “open source project” release is quite large.

    I build proof of concepts daily, I don’t look to endorse them not just via my own blog but through other employee’s blog whilst at the same time establish source code projects around it (In fact I go out of my way to stress that proof of concepts are throwaway technology). Let’s be also clear on Proof of Concept vs. Prototype.

    A POC is simply an incomplete demonstration in terms of testing feasibility around an idea/principal with a purpose to verify such in a useful manner.

    A Prototype however is a full-scale working model of an idea.

    If you were simply building a throw-away POC (which they typically are) well one could argue your case, but I put it to you that what you’re really doing is building a prototype. This is where we have a point of contention as now validation around my concerns arises.

    This is purely my perspective on the matter and I could be wrong, never stated I was 100% right and I did however state I had “concerns”.

    Mike says:

    “..Regardless, I expect you to try and spin this as you normally do. I think that is a real shame as I think that this is a discussion that could have easily gone in the direction of “this is interesting, but is there a better way we can integrate these technologies?”…”

    Why can’t Adobe staffers ever finish a conversation without a character assassination? (That’s twice now from two separate individuals) You folks start really strong, have valid points and we can have a depth discussion but sadly, you seem to always finish out with a “..and this is why you’re bad overall..”

    It’s immature firstly, secondly you don’t do that (even if you think it) and thirdly what’s your takeaway point to the readers? You essentially prefer to end the conversation with “this is just Microsoft employee putting spin in the room..” and then – put a post on your very own blog outlining and answering some of the points I raised and address the initial “spin” (in which I am being accused of starting?). Kind of a weak stance is it not?

    I find most of your fellow team members bullies to be honest. It’s something I’ve never really said out loud, but the more I think about our various interactions over the years (both positive and negative and dating back to early Macromedia days) in the end I’ve settled on the fact that the moment anyone dismisses Adobe’s messaging in anyway, we are in fact swarmed by a pack of emotional charged comments. Ever notice how the moment any of your folks counteract an argument against Flash, AIR, Flex etc that the person(s) blog is swarmed in emotional charged slander? Don’t you want the community to rise above this more? Lead by example is all I state.

    I urge you to show maturity and restrain by letting conversations take place, less character assassination attempts and more importantly learn to accept being both wrong and right with humility.

    You lack humility and maturity. This disappoints me because I think a lot of your colleagues and yourself have enormous amounts of knowledge and experience to share with the community, but sadly constantly get lost in emotion.

    I’m happy to meet with you next at an event such as WebDU, MIX08 etc and look to finding a way for us all to communicate in a more effective manner that enables us to have a powerful conversation without character assassination(s).

    I’m not alone in this awareness and customers I meet not just locally but from around the globe have also stated that they think its poor form. Take that as “FUD” or take that as constructive feedback in a public forum, either way it’s entirely up to you – but it’s not spin as to assign it such a label is to assume that suddenly a wave of customers that were Adobe believe me and suddenly come to Microsoft’s product lines… that’s silly.

    My 2c.

    P.S

    Who reads comments these days anyway right?

  9. Joe Rinehart says:

    Scott,

    Top marks for mastering the art of Microsoft marketing so quickly – I hoped that someone with a Macromedia / Adobe background might be a little less susceptible to its tactics.

    Sadly, you’ve been awfully successful:  you acknowledge Mike’s code isn’t an "Adobe" project, but you’ve indirectly misled your readers, such as "vikram," into thinking Adobe’s opening security holes.  

    Congrats, I’m sure it’ll go over well on your next performance review.

  10. Garry Trinder says:

    Joe,

    Stick to coldfusion frameworks 😉 it’s something you know best.

    Scott.

  11. Ethan Estes says:

    I’m sorry but your post is mostly garbage. On one hand you want adobe employees to play nice with you but on the other hand you try to blowup this project that chambers put together as the coming Armageddon for .NET!

    I trust Mike a hell of a lot more than Microsoft-at least he invests in open source efforts. Just because an initial idea has some issues does not mean it’s not worth researching! If your worried about the security why not get involved in the project and help out?  

    ———————————————

    Also Chambers post had this:

    Note, this project is in no way supported by Adobe. This is a proof of concept project that I put together to help developers understand one possible way to extend AIR functionality beyond that that is provided by the runtime.

    How can he be any clearer that this is not an adobe project?

    ——————————————–

    you:"As to state Adobe won’t support it underpins the notion it has flaws and is probably an immature solution."

    mike: " I have put together a proof of concept project"

    what proof of concept is not immature? They always have flaws. Tell me something i don’t already know.

    ——————————————–

    It just seems to me that your the one running around crying wolf about a small project on google code. Then crying foul when others call you on it. Maybe you should spend your time coming up with cool ideas like Mike does. I might take you seriously then.

    I take great pride in the zest which the adobe community defends itself. I think Microsoft wishes they had that kind of loyalty so you have to take shots at it to make you feel better. That sure sounds like  "bully" complex 101 to me.

    I also have been using ebay desktop since the day it’s beta was released. I like the interface, i like throwing the images, i like that i don’t accidently close it when i shut down my browser, i like not having page refreshes, I LIKE THE EXPERIENCE!

    The fact that you don’t "get" ebay desktop to me shows that silverlight will not be a trendsetter, just a "me too!"

    just my 2 cents.

    ethan

  12. Garry Trinder says:

    Ethan,

    You’re enititled to your opinion. I disagree with you obviously but anyone whom thinks this is just a one sided affair is living in a deluded existance as the old saying goes "it takes two to tango".

    All the best and good luck with your eBay experience, hope it works out.

    Scott.

  13. Tim Hobbs says:

    It would be great if the energy that was spent bashing (by both sides, including all the comment posters) could be funneled in to making development easier. Honestly, I don’t care WHO makes development tools, I just care that they work. I’ll use whatever I need to get the job done, and I am honestly happiest if I am not stuck using one shop’s tools.

    I am a .NET web developer, but I’d love to use AIR for a desktop app for a site I work on. I agree that the best method is to have a civil discussion, but I also can’t say that throwing in the bully comment at the end will help that any. You bashed Mike for being immature, but the closing comments sort of stooped to the same.

  14. Parag Mehta says:

    I don’t think Scott that, posts like this belongs to your Blog. Personally, Reader like me will be more interested in Project Nexus then such a political debate. Obviously no-one is right or wrong here and everyone has their own opinon! Only Time can decide who was right in this case.

    Personally I like Silverlight/WPF more but that doesn’t mean AIR is trash. It may be good for someone else.