Issue with Silverlight OOB warning

10 Jun

With Silverlight 3 we got the opportunity to create Silverlight applications that install on the client machine. With Silverlight 4 we can require that the applications get elevated permissions to the client machine. We are able to access local files on the client machine and communicate with hardware and installed applications using COM under the same privileges as the logged in user.

It’s important that the user understands that an installed Silverlight application that runs with elevated permissions should be considered just like any other installed application. It’s no longer a web application that runs in a sandbox!

Scenario 1 – install without signed application

By default, when the user choose to install a Silverlight application that requires elevated permissions she get a security warning that the publisher of the application could not be verified.

security_warning_unverified

“This application does not have a valid digital signature that verifies the publisher. You should only run software from publishers you trust.”

The security warning does not tell the user anything about the harm that this application potentially can course. Instead it has focus on the missing certificate.

Scenario 2 – install signed application

If we try to sign the application with a certificate and install the application again we will see a much more accurate security warning.

security_warning_verified

 “This application can potentially access your personal data and harm your computer. Only install applications from sites you trust.”

The security warning now inform the user about the harm that this application potentially can course. Why isn’t the user warned in the first scenario? I hope (and believe) that this be fixed in a future version.

by xamlgeek 
twitter.com/thomasmartinsen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: