I’ve been having some interesting conversation re MS making us sign help files in Help Viewer 1.0 (Help 3).
So Microsoft’s augments for Signing Help
- User and Vendor can be certain that help files are not tampered with or corrupted.
- User can be certain that the help is from a trusted source.
- In the future Help Viewer 1.x will be everywhere.
It needs to be secure (unlike CHMs which have the ability to ShellExecute anything). - Downloading content from the web (in the future) needs to be secure.
I don’t have a problem with signing Help or reduce the size of attack surfaces. But you can’t force vendors to sign. It’s costly for small companies (> $300 /yr). And signing is not trivial. It takes a lot of time to work through signing.
We are running a Poll on signing in our Help3 Yahoo discussion group. Members are major companies who integrate into VS help. The Poll shows clearly that most companies don’t sign and wont be signing help in the short term.
Windows already has a working security model. Whenever you install something (using an installer) you get challenged with a security warning. Once the user accepts, the install is elevated to Admin mode. There are no more challenges after that point. But currently Help Library Manager challenges you a second time and event blocks silent install if unsigned.
Currently the Help Library Manager wont allow your Installer to install/uninstall/update help unless it is signed. This is unacceptable. The Microsoft future vision of all vendors signing content is fantasy. Certificates are currently too expensive and too much trouble. It’s a different story for large corporations. However the majority of software companies are small and run very lean. For example Helpware (this site) there is no way we can afford to buy certificates.
Interesting how Adobe corp is handling security on Flash applications. So this is content that can be download from the web and put anywhere on the hard disk. Flash apps have access to your whole hard disk. So when you run a Flash app you are “always” challenged with a security warning. To disable this security message you need to enter some path information for your app in a protected folder of Windows. This is good since only elevated installers can added this information. Or the user can add the info by hand. Either way the user is challenged using the same security model Windows uses for all executables.
What should Help Viewer 1.x be doing?
- Work within the existing Windows security model. If there has already been a security challenge, and the install has been elevated, then that should be good enough. Help Viewer 1.0 should not go and challenge again.
- For unsecured environments (XP OS, or UAC turned off) HLM should always challenge (but not stop unsigned content from installing). There is nothing else on the Windows platform that actually blocks installers from installing unsigned content (Challenge yes. Block no).
- Do it like Adobe. Help Library Manager always challenges but to remove the challenge on a help file, your installer must write the help file path to a HKLM protected registry location. So the user is guaranteed to see a security message.
- Signing is good. But should be optional like everywhere else in Windows.
- There is currently no install/uninstall/update solution for installers dealing with unsigned help. Maybe 10% of companies sign. That leaves 90% of companies currently without an install solution. All these companies can do currently is give text instructions to the customer explaining the manual steps involved to add/remove help.
- Help Viewer 1.0 is not like CHMs. The security risks are different. First up all help must be registered through Help Library Manager, which has the option to challenge.
- Downloading – Again this is not like CHMs. HLM requires elevated privileges to install all help, that’s enough. If you want more then go for the HKLM registration idea.
- For old systems such as XP or where UAC is disabled, HLM should “always” challenge so the user is guaranteed to get a security warning.
Well I’m starting to repeat my self so enough said.
Please add your own comments below.
Rob