Geek Answers Handbook

Ask user to install ActiveX / .Net Class Library from browser

I am creating a .NET Class library project that accesses mshtml.HTMLDocument when called (from JavaScript). Everything works fine on my machine since I changed permissions in the .NET Configuration for trusted sites to have full access.

But for end users, I would like Internet Explorer to request them, such as Windows Update.

I placed the assembly with a strong name and with an autosigned certificate, and I approve the unmanaged SecurityPermission code, but there is still no yellow bar asking the user.

Does anyone know how to call this sentence? Thanks

Then edit: a few more details: I am implementing the component as <object classid="dllname.dll#namespace.classname" ><object> , and it works, but does not have security permissions.

If I insert it as <object classid="clsid:..guid.." codebase="dllname.dll#-1,-1,-1,-1"></object> , permission to install a pop-up window appears, but the object cannot create an instance.

Update: I made my class COM-compatible, implemented Safe-for-scripting, I made MSI from it and put it in a .CAB file. It installs if the user has my certificate in Trusted Roots and it works.

However, it does not work if it is not trusted (there is no question for the user, just ".. blocked the following active files from ..". Does this really mean that I have to put my money in an SSL certificate?!?

+4
source share
1 answer

I assume your question is this: can you get IE to prompt the user to install a (previously unknown) certificate to enable the managed and secure ActiveX control on the page? (If this is not your question, comment, and I can reconsider.)

The short answer is no. You will need to lay out $$$ for a code signing certificate from a trusted authority. (which, AFAIK, is different from a regular SSL certificate)

Long answer:

From a security point of view, a subscription with an unknown certificate is similar to an unsigned one, because there is no trusted authority telling the client that he can trust this code. And IE's default settings prevent you from loading and using unsigned ActiveX controls.

If what you are trying to do was allowed, then an experienced attacker can simply create a certificate, sign it, and thereby make it easier for users to run their attack code.

There are, of course, workarounds, but all of them require clients to take measures to change their IE settings or (in the intranet settings) when administrators push out changes to the client settings.

Here's more info on this from TechNet ( http://technet.microsoft.com/en-us/library/cc505863.aspx ):

Internet Explorer is not configured to trust the certification authority. Anyone, including attackers, can create their own CA and issue certificates. Therefore, Internet Explorer does not trust all CAs by default. Instead, Internet Explorer trusts only a few state CAs. If the certificate was issued by an untrusted CA, and the website is on the public Internet, the server administrator must receive a certificate from a trusted CA. If the site is on your intranet, the client administrator must configure Internet Explorer to trust CA issuance.

+4
source

More articles:


All Articles