This is a mirror of official site: http://jasper-net.blogspot.com/

Silverlight 5 Security: Designed for the Intranet

Posted by jasper22 at 13:28 | Sunday, January 22, 2012
Silverlight’s role has always been poorly understood. Originally it was seen as something to compete with Flash, but Flash itself is being replaced by HTML5. It was also seen as a way of delivering cross-platform applications, but Apple’s policies concerning iOS made that a non-starter as well. Surprisingly it is thriving in areas that were supposed to be the domain of WPF such as internal business applications and Silverlight 5’s updated security model reflects this.

Silverlight 2, seen by many as the first real version, wasn’t around for very long before people started asking for ways to deliver traditional style applications. Known as “out-of-browser” or OOB, this feature was first made available in Silverlight 3. But even before that was released people were starting to ask for access to COM. But as we all know, COM in the browser was a horrible idea as far as security is concerned. Yet Microsoft relented and it was added in Silverlight 4, but only for OOB applications.

Once they had a taste of COM, Silverlight developers demanded even more access to the underlying OS. And they demanded that access even if they are running inside the browser. So we now we have Silverlight 5 with p/invoke, full trust within the browser, and not even the illusion that this is anything but a corporate technology. Some may see this as a rather bold statement, but consider this passage from the updated Silverlight Security Overview.

    In browser - trusted applications – Like trusted applications out of browser, these applications have additional privileges such as access to the filesystem and calling COM objects. In browser apps can run with trust only if they are signed with a key in the trusted publishers list and is subject to group policy settings in a corporate environment. The user is never prompted to grant permission.

Becoming a “trusted publisher” isn’t a simple matter of buying a code signing certificate. To be added to that list a user would have to manually import the certificate and install it using a snap-in for the Microsoft Management Console. There isn’t even a shortcut for it in the Control Panel; users have to launch it from the command line.

Read more: InfoQ
QR: Silverlight-Security

Posted via email from Jasper-net

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)