ClickOnce security?

[7777]

Hello, sorry if this is wrong area and novice question so is ClickOnce
mainly for deploying asp.net apps and would anyone know of or can mention
any security risks when using Windows Authentication? Thanks in advance.

 

[Joe Kaplan]

ClickOnce is primarily a technology for deploying apps that execute on the
desktop, typically via an HTTP-based distro point. It is not generally about
building ASP.NET apps although you can write ClickOnce apps that interact
with it.

Silverlight is getting a lot more attention these days as a client-side
executable framework though.

What are you trying to do?

 

[7777]

We have a consultant requesting to utilize ClickOnce and configure things in
that direction for client updates and was wondering how safe it is as we're
unfamiliar with this technology. You mention it executes via HTTP in that
would it be able to do it through HTTPS for higher sensitive apps/updates?
Thanks Joe.

 

[Joe Kaplan]

ClickOnce apps are typically distributed via HTTP (you download the code
from a web site) but it doesn't necessarily execute via HTTP. It runs
locally. You can deploy these on SSL endpoints if you wish.

 

[7777]

Thanks for the helpful insight Joe, much appreciated

 

[Joe Kaplan]

You should be able to use whatever authentication you want. If you want to
require authentication to allow the files to download, you should be able to
use that. You can use IWA with HTTP or HTTPS. There may be something subtle
about how clickonce works here but generally speaking, this applies to any
resource you download from a web site. The clickonce files are still just
HTTP payload.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
What would be the Authentication Method in the Directory Security tab
setting in IIS 6.0 for the folder to be to utilize ClickOnce? Is it correct
that the 'Integrated Windows authentication' setting doesn't work via
HTTP/HTTPS?

 

[7777]

Thanks Joe, don't mean to put you on the spot but what are you thoughts on
ClickOnce from a security perspective in that are there any specific risks
to consider besides the Firefox issue which we mainly have our users on IE?

 

[Joe Kaplan]

I don't think I have a very well-considered opinion about this. I'm not
aware of any specific security issues related to ClickOnce. You'd probably
be better off researching some blogs that focus in that space. I'm also not
sure when one typically considers ClickOnce vs. Silverlight these days as a
delivery vehicle.