« Permissive window closing | Main | Anti-Ajax FUD »

March 20, 2008

Gaping hole revealed

Gaping hole revealed: When AIR launched, one thing bothered me, and that was the unresolved concern printed in the AIR launch article from The New York Times (alternate): "Microsoft executives said they thought their company would have an advantage because Silverlight has a more sophisticated security model. 'Desktop integration is a mixed blessing. There is potentially a gaping security hole,' said Microsoft’s Mr. Becker. 'We’ve learned at the school of hard knocks about security.'" I tried to ask for a copy of that "prepared statement" or other concerns at Brad Becker's blog (cache), but it didn't accept comments... tried to ask another Microsoft staffer in my blog, but without result. Security is something that everyone must get right, so we need to bring these things out in the open. But now, I think I may have found the root cause of the concern and worry, in an interview with Microsoft Corporate Vice President, .NET Developer Division Scott Guthrie: "It [AIR] does not have a security trust model. If you install an AIR app, it has full access to your documents." If that was the root concern behind "gaping security hole", then worry no longer: the overview and whitepaper show it does, and doesn't need to. But, perhaps, this was the potential "gaping security hole" instead: "People want to know that if they type in a URL and visit a website, that it can't access their local documents, it can't steal content from their file system." Hmm, AIR contains a browser, but is not a browser, and in fact complements a browser: AIR apps come from only those sites you do trust. But if neither was your core security concern, Scott, then please leave a note in the comments here, or use the security alert if you think such discussions would be better out of the public eye, thanks. (Oh, and one more thing, so long as I've got you: It's more sensible to compare like with like, such as new browser plugins with existing browser plugins. AIR is not a browser plugin... it's something unique and new. Clear? ;-)

Posted by JohnDowdell at March 20, 2008 10:26 PM

Trackback Pings

TrackBack URL for this entry:
http://weblogs.macromedia.com/mtadmin/mt-tb.cgi/9324

Comments

sometimes I question your dedication to sparkle motion --Donnie Darko

Posted by: jacob at March 21, 2008 05:46 AM

I love this line, "There is potentially a gaping security hole." Which means they don't know since anyone who talks to reporters hasn't even installed the damn thing for themselves. Smart market research on their part.

Posted by: Chris Charlton at March 21, 2008 11:39 AM