ClickOnce security?

Discussion in 'ASP .Net Security' started by 7777, Feb 22, 2010.

  1. 7777

    7777 Guest

    Hello, sorry if this is wrong area and novice question so is ClickOnce
    mainly for deploying asp.net apps and would anyone know of or can mention
    any security risks when using Windows Authentication? Thanks in advance.
    7777, Feb 22, 2010
    #1
    1. Advertising

  2. 7777

    Joe Kaplan Guest

    ClickOnce is primarily a technology for deploying apps that execute on the
    desktop, typically via an HTTP-based distro point. It is not generally about
    building ASP.NET apps although you can write ClickOnce apps that interact
    with it.

    Silverlight is getting a lot more attention these days as a client-side
    executable framework though.

    What are you trying to do?

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "7777" <> wrote in message
    news:%...
    > Hello, sorry if this is wrong area and novice question so is ClickOnce
    > mainly for deploying asp.net apps and would anyone know of or can mention
    > any security risks when using Windows Authentication? Thanks in advance.
    >
    Joe Kaplan, Feb 23, 2010
    #2
    1. Advertising

  3. 7777

    7777 Guest

    We have a consultant requesting to utilize ClickOnce and configure things in
    that direction for client updates and was wondering how safe it is as we're
    unfamiliar with this technology. You mention it executes via HTTP in that
    would it be able to do it through HTTPS for higher sensitive apps/updates?
    Thanks Joe.


    "Joe Kaplan" <> wrote in message
    news:...
    > ClickOnce is primarily a technology for deploying apps that execute on the
    > desktop, typically via an HTTP-based distro point. It is not generally
    > about building ASP.NET apps although you can write ClickOnce apps that
    > interact with it.
    >
    > Silverlight is getting a lot more attention these days as a client-side
    > executable framework though.
    >
    > What are you trying to do?
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > "7777" <> wrote in message
    > news:%...
    >> Hello, sorry if this is wrong area and novice question so is ClickOnce
    >> mainly for deploying asp.net apps and would anyone know of or can mention
    >> any security risks when using Windows Authentication? Thanks in advance.
    >>

    >
    7777, Feb 23, 2010
    #3
  4. 7777

    Joe Kaplan Guest

    ClickOnce apps are typically distributed via HTTP (you download the code
    from a web site) but it doesn't necessarily execute via HTTP. It runs
    locally. You can deploy these on SSL endpoints if you wish.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "7777" <> wrote in message
    news:%...
    > We have a consultant requesting to utilize ClickOnce and configure things
    > in that direction for client updates and was wondering how safe it is as
    > we're unfamiliar with this technology. You mention it executes via HTTP
    > in that would it be able to do it through HTTPS for higher sensitive
    > apps/updates? Thanks Joe.
    >
    >
    > "Joe Kaplan" <> wrote in message
    > news:...
    >> ClickOnce is primarily a technology for deploying apps that execute on
    >> the desktop, typically via an HTTP-based distro point. It is not
    >> generally about building ASP.NET apps although you can write ClickOnce
    >> apps that interact with it.
    >>
    >> Silverlight is getting a lot more attention these days as a client-side
    >> executable framework though.
    >>
    >> What are you trying to do?
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "7777" <> wrote in message
    >> news:%...
    >>> Hello, sorry if this is wrong area and novice question so is ClickOnce
    >>> mainly for deploying asp.net apps and would anyone know of or can
    >>> mention any security risks when using Windows Authentication? Thanks in
    >>> advance.
    >>>

    >>

    >
    >
    Joe Kaplan, Feb 26, 2010
    #4
  5. 7777

    7777 Guest

    Thanks for the helpful insight Joe, much appreciated :)


    "Joe Kaplan" <> wrote in message
    news:...
    > ClickOnce apps are typically distributed via HTTP (you download the code
    > from a web site) but it doesn't necessarily execute via HTTP. It runs
    > locally. You can deploy these on SSL endpoints if you wish.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > "7777" <> wrote in message
    > news:%...
    >> We have a consultant requesting to utilize ClickOnce and configure things
    >> in that direction for client updates and was wondering how safe it is as
    >> we're unfamiliar with this technology. You mention it executes via HTTP
    >> in that would it be able to do it through HTTPS for higher sensitive
    >> apps/updates? Thanks Joe.
    >>
    >>
    >> "Joe Kaplan" <> wrote in message
    >> news:...
    >>> ClickOnce is primarily a technology for deploying apps that execute on
    >>> the desktop, typically via an HTTP-based distro point. It is not
    >>> generally about building ASP.NET apps although you can write ClickOnce
    >>> apps that interact with it.
    >>>
    >>> Silverlight is getting a lot more attention these days as a client-side
    >>> executable framework though.
    >>>
    >>> What are you trying to do?
    >>>
    >>> --
    >>> Joe Kaplan-MS MVP Directory Services Programming
    >>> Co-author of "The .NET Developer's Guide to Directory Services
    >>> Programming"
    >>> http://www.directoryprogramming.net
    >>> "7777" <> wrote in message
    >>> news:%...
    >>>> Hello, sorry if this is wrong area and novice question so is ClickOnce
    >>>> mainly for deploying asp.net apps and would anyone know of or can
    >>>> mention any security risks when using Windows Authentication? Thanks
    >>>> in advance.
    >>>>
    >>>

    >>
    >>

    >
    7777, Feb 26, 2010
    #5
  6. 7777

    Joe Kaplan Guest

    You should be able to use whatever authentication you want. If you want to
    require authentication to allow the files to download, you should be able to
    use that. You can use IWA with HTTP or HTTPS. There may be something subtle
    about how clickonce works here but generally speaking, this applies to any
    resource you download from a web site. The clickonce files are still just
    HTTP payload.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "7777" <> wrote in message
    news:...
    What would be the Authentication Method in the Directory Security tab
    setting in IIS 6.0 for the folder to be to utilize ClickOnce? Is it correct
    that the 'Integrated Windows authentication' setting doesn't work via
    HTTP/HTTPS?





    "Joe Kaplan" <> wrote in message
    news:...
    > ClickOnce apps are typically distributed via HTTP (you download the code
    > from a web site) but it doesn't necessarily execute via HTTP. It runs
    > locally. You can deploy these on SSL endpoints if you wish.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > "7777" <> wrote in message
    > news:%...
    >> We have a consultant requesting to utilize ClickOnce and configure things
    >> in that direction for client updates and was wondering how safe it is as
    >> we're unfamiliar with this technology. You mention it executes via HTTP
    >> in that would it be able to do it through HTTPS for higher sensitive
    >> apps/updates? Thanks Joe.
    >>
    >>
    >> "Joe Kaplan" <> wrote in message
    >> news:...
    >>> ClickOnce is primarily a technology for deploying apps that execute on
    >>> the desktop, typically via an HTTP-based distro point. It is not
    >>> generally about building ASP.NET apps although you can write ClickOnce
    >>> apps that interact with it.
    >>>
    >>> Silverlight is getting a lot more attention these days as a client-side
    >>> executable framework though.
    >>>
    >>> What are you trying to do?
    >>>
    >>> --
    >>> Joe Kaplan-MS MVP Directory Services Programming
    >>> Co-author of "The .NET Developer's Guide to Directory Services
    >>> Programming"
    >>> http://www.directoryprogramming.net
    >>> "7777" <> wrote in message
    >>> news:%...
    >>>> Hello, sorry if this is wrong area and novice question so is ClickOnce
    >>>> mainly for deploying asp.net apps and would anyone know of or can
    >>>> mention any security risks when using Windows Authentication? Thanks
    >>>> in
    >>>> advance.
    >>>>
    >>>

    >>
    >>

    >
    Joe Kaplan, Mar 3, 2010
    #6
  7. 7777

    7777 Guest

    Thanks Joe, don't mean to put you on the spot but what are you thoughts on
    ClickOnce from a security perspective in that are there any specific risks
    to consider besides the Firefox issue which we mainly have our users on IE?


    "Joe Kaplan" <> wrote in message
    news:...
    > You should be able to use whatever authentication you want. If you want to
    > require authentication to allow the files to download, you should be able
    > to use that. You can use IWA with HTTP or HTTPS. There may be something
    > subtle about how clickonce works here but generally speaking, this applies
    > to any resource you download from a web site. The clickonce files are
    > still just HTTP payload.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > "7777" <> wrote in message
    > news:...
    > What would be the Authentication Method in the Directory Security tab
    > setting in IIS 6.0 for the folder to be to utilize ClickOnce? Is it
    > correct that the 'Integrated Windows authentication' setting doesn't work
    > via HTTP/HTTPS?
    >
    >
    >
    >
    >
    > "Joe Kaplan" <> wrote in message
    > news:...
    >> ClickOnce apps are typically distributed via HTTP (you download the code
    >> from a web site) but it doesn't necessarily execute via HTTP. It runs
    >> locally. You can deploy these on SSL endpoints if you wish.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "7777" <> wrote in message
    >> news:%...
    >>> We have a consultant requesting to utilize ClickOnce and configure
    >>> things
    >>> in that direction for client updates and was wondering how safe it is as
    >>> we're unfamiliar with this technology. You mention it executes via HTTP
    >>> in that would it be able to do it through HTTPS for higher sensitive
    >>> apps/updates? Thanks Joe.
    >>>
    >>>
    >>> "Joe Kaplan" <> wrote in message
    >>> news:...
    >>>> ClickOnce is primarily a technology for deploying apps that execute on
    >>>> the desktop, typically via an HTTP-based distro point. It is not
    >>>> generally about building ASP.NET apps although you can write ClickOnce
    >>>> apps that interact with it.
    >>>>
    >>>> Silverlight is getting a lot more attention these days as a client-side
    >>>> executable framework though.
    >>>>
    >>>> What are you trying to do?
    >>>>
    >>>> --
    >>>> Joe Kaplan-MS MVP Directory Services Programming
    >>>> Co-author of "The .NET Developer's Guide to Directory Services
    >>>> Programming"
    >>>> http://www.directoryprogramming.net
    >>>> "7777" <> wrote in message
    >>>> news:%...
    >>>>> Hello, sorry if this is wrong area and novice question so is ClickOnce
    >>>>> mainly for deploying asp.net apps and would anyone know of or can
    >>>>> mention any security risks when using Windows Authentication? Thanks
    >>>>> in
    >>>>> advance.
    >>>>>
    >>>>
    >>>
    >>>

    >>

    >
    7777, Mar 4, 2010
    #7
  8. 7777

    Joe Kaplan Guest

    I don't think I have a very well-considered opinion about this. I'm not
    aware of any specific security issues related to ClickOnce. You'd probably
    be better off researching some blogs that focus in that space. I'm also not
    sure when one typically considers ClickOnce vs. Silverlight these days as a
    delivery vehicle.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "7777" <> wrote in message
    news:%...
    > Thanks Joe, don't mean to put you on the spot but what are you thoughts on
    > ClickOnce from a security perspective in that are there any specific risks
    > to consider besides the Firefox issue which we mainly have our users on
    > IE?
    >
    >
    Joe Kaplan, Mar 5, 2010
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ralph Sieminsky

    ClickOnce in VS 2005 Beta 1 ?

    Ralph Sieminsky, Jul 8, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    494
    Nakul Durve
    Jul 12, 2004
  2. =?Utf-8?B?RGVhc3Vu?=

    ClickOnce and Certificates ?

    =?Utf-8?B?RGVhc3Vu?=, Jan 5, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    564
    =?Utf-8?B?RGVhc3Vu?=
    Jan 5, 2006
  3. ad
    Replies:
    2
    Views:
    379
  4. Tina
    Replies:
    8
    Views:
    2,666
    Laurent Bugnion
    Sep 4, 2006
  5. =?Utf-8?B?QXNhZg==?=

    ClickOnce Button?

    =?Utf-8?B?QXNhZg==?=, Sep 7, 2006, in forum: ASP .Net
    Replies:
    4
    Views:
    629
    =?Utf-8?B?QXNhZg==?=
    Sep 7, 2006
Loading...

Share This Page