Fog Creek Software
Discussion Board




Welcome! and rules

Joel on Software

IE .Net Framework security settings

In the IE security settings, "run components not signed with Authenticode" is enabled by default. I'm running IE 6 SP2 with the internet security set to medium.

I'm not that familiar with .Net, the ins and outs of Authenticode, and what unsigned components are capable of doing to my box.  Should this be sounding off alarms, or is there a sandbox, like Java?

Nick
Thursday, July 10, 2003

Let me give you a brief rundown.  For a longer explanation, read my book (if you can still find it; wrox went bankrupt...)

First of all, understand the differences between TRUSTED and SAFE and BENIGN.

"Safe or unsafe" is crisp and techical -- either this dll can erase your hard disk, or it can't. 

"Trusted or untrusted" is squishy and nontechical.  Do you _personally_ feel like you can trust the guy who wrote this code?

"Benign or hostile" describes the mindset of the person who wrote the dll.  Are they out to get you, or out to help you?

Trusted code is not necessarily safe.  Rather, trusted code is assumed to (a) be benign, and (b) correctly report whether it is safe or unsafe.

That way when IE goes to run a trusted control on a web page, it can ask the control "are you safe?" and you trust that the right answer will come back.  IE by default will only run code which is trusted and safe.  (You can change these settings of course.)

OK, so what does this have to do with authenticode? 

Authenticode provides EVIDENCE that the person who claims to have written the code really is that person.  Companies like verisign issue code signing certificates which are very hard to forge. 

You express your trust opinions through setting POLICIES which tell the security system how to interpret the evidence -- like "run code even if it was not authenticode signed" -- which basically means "I trust everyone". 

Why authenticode?  Because bad people are unlikely to write hostile code, sign their names, and wait for the FBI to show up -- we hope that requiring authenticode weeds out the actively hostile!  (Unfortunately, that does not stop the incompent benign, but that's another story...)

In the ActiveX world there is only "trusted" and "untrusted".  In the .NET world it gets more complex because, as you note, there is a "partial trust" sandbox. 

Managed code run in the "internet zone" can run with partial trust even if it is not signed, but it is guaranteed to be safe because it runs in a safe sandbox.  The default policy is for internet zone code to be given the right to create simple dialog boxes, printer dialogs, etc, and that's it.  If it tries to read your hard disk or send email, the runtime throws an exception and the operation fails.

Does that make sense?

Let me know if you have more questions.

Eric

Eric Lippert
Friday, July 11, 2003

*  Recent Topics

*  Fog Creek Home