ClickOnce security?

Discussion in 'ASP .Net Security' started by 7777, Feb 22, 2010.

  1. 7777

    7777 Guest

    Hello, sorry if this is wrong area and novice question so is ClickOnce
    mainly for deploying asp.net apps and would anyone know of or can mention
    any security risks when using Windows Authentication? Thanks in advance.
     
    7777, Feb 22, 2010
    #1
    1. Advertisements

  2. 7777

    Joe Kaplan Guest

    ClickOnce is primarily a technology for deploying apps that execute on the
    desktop, typically via an HTTP-based distro point. It is not generally about
    building ASP.NET apps although you can write ClickOnce apps that interact
    with it.

    Silverlight is getting a lot more attention these days as a client-side
    executable framework though.

    What are you trying to do?
     
    Joe Kaplan, Feb 23, 2010
    #2
    1. Advertisements

  3. 7777

    7777 Guest

    We have a consultant requesting to utilize ClickOnce and configure things in
    that direction for client updates and was wondering how safe it is as we're
    unfamiliar with this technology. You mention it executes via HTTP in that
    would it be able to do it through HTTPS for higher sensitive apps/updates?
    Thanks Joe.
     
    7777, Feb 23, 2010
    #3
  4. 7777

    Joe Kaplan Guest

    ClickOnce apps are typically distributed via HTTP (you download the code
    from a web site) but it doesn't necessarily execute via HTTP. It runs
    locally. You can deploy these on SSL endpoints if you wish.
     
    Joe Kaplan, Feb 26, 2010
    #4
  5. 7777

    7777 Guest

    Thanks for the helpful insight Joe, much appreciated :)
     
    7777, Feb 26, 2010
    #5
  6. 7777

    Joe Kaplan Guest

    You should be able to use whatever authentication you want. If you want to
    require authentication to allow the files to download, you should be able to
    use that. You can use IWA with HTTP or HTTPS. There may be something subtle
    about how clickonce works here but generally speaking, this applies to any
    resource you download from a web site. The clickonce files are still just
    HTTP payload.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    What would be the Authentication Method in the Directory Security tab
    setting in IIS 6.0 for the folder to be to utilize ClickOnce? Is it correct
    that the 'Integrated Windows authentication' setting doesn't work via
    HTTP/HTTPS?
     
    Joe Kaplan, Mar 3, 2010
    #6
  7. 7777

    7777 Guest

    Thanks Joe, don't mean to put you on the spot but what are you thoughts on
    ClickOnce from a security perspective in that are there any specific risks
    to consider besides the Firefox issue which we mainly have our users on IE?
     
    7777, Mar 4, 2010
    #7
  8. 7777

    Joe Kaplan Guest

    I don't think I have a very well-considered opinion about this. I'm not
    aware of any specific security issues related to ClickOnce. You'd probably
    be better off researching some blogs that focus in that space. I'm also not
    sure when one typically considers ClickOnce vs. Silverlight these days as a
    delivery vehicle.
     
    Joe Kaplan, Mar 5, 2010
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.