My ClickOnce chapter is up on the web

View in on the vbasic Developer Center...

Comments

• Anonymous
  October 28, 2003
  The comment has been removed
• Anonymous
  October 28, 2003
  Very cool. I am looking forward to playing with this!
• Anonymous
  October 31, 2003
  Duncan,
  
  I went to the PDC and attended the ClickOnce team's presentations on this, and found your information just as informative. However, my question to you is the same as the question I presented them:
  
  How much worse does ClickOnce make social engineering attacks and popup ads?
  
  Because ClickOnce applications are full-fledged OS windows with the full range of .NET WinForm controls, it is really easy to spoof a pixel-perfect Windows dialog that asks the unsuspecting user for valuable information. For example, I was able to code a ClickOnce form that looks exactly like a .NET Passport wizard dialog.
  
  Also, the ability for popup ads to appear and stay on your desktop is magnified dramatically. A WinForm can easily be coded to not ever close until the process is killed (which is hard for Mom and Dad to manage). Furthermore, WinForms can spawn as many other WinForms at any time interval it wants.
  
  I feel the ClickOnce team's response of "well, we're not making the Web any less secure" simply unacceptable. It is significantly worse now because users now have no power to differentiate between local, trusted UI and remote, untrusted UI.
  
  What are your thoughts on this?
  
  kevhsu@msn.com