Hi, some of our users are starting to inquire about Silverlight.  We have a few questions about Silverlight security / privacy:

1) Can local ("isolated") storage be globally/entirely turned off for the Silverlight plugin?  We have cookies turned off on all of our thin client / stations / PCs and the vast majority of web sites work without them, the few that don't are simply not used... (of course this forum doesn't work without cookies ...like any badly designed site, it makes assumptions as to their availability).

2) If isolated storage were allowed, can persistence be disabled?  As in: the isolated storage would be automatically cleared / deleted when a user leaves a web site.

3) This "isolated storage" also begs the question: without limits what prevents a rogue web site from redirecting to / iframing multiple (thousands of) virtual web sites each consuming their "max" 1MB storage space?

4) Is there more detail available on the full security implications of Silverlight?  We are concerned about the code execution possibilities and personally am more than confident that sooner or later a hole will appear in the (inherited classes of the) framework.

5) Also, for privacy reasons, Is there a way to disable the unique PC software version / hardware ID / manufacturer information Microsoft and partners collect with Silverlight?  Or at the very least get a highly detailed breakdown of the information collected with "standard computer information"?  ...from their privacy statement: "Internet enabled features in software will send information about your computer ("standard computer information") to the websites you visit and web services you use. This information is generally not personally identifiable. Standard computer information typically includes information such as your IP address, operating system version, browser version, your hardware ID which indicates the device manufacturer, device name, and version, application version and your regional and language settings."

Stret,

I don't know if this helps or not, but ScottGu answered a few of your questions in comments relating to his recent blog post.

For convenience, I've extracted a few of his remarks from the aforementioned blog post:

"End users can set policy to limit local storage options (by default an application is allowed 1Mb).  When a user flushes their internet cache the local storage is cleared - just like cookies."

"What a Silverlight application can do is store content in a cache which acts like a browser cookie.  It is only available to that site, and an end user can grant or deny it the rights to-do that (as well as control the size of the cache).  The cache will be persisted by default when a user closes the browser and re-opens it and visits the same site again - but the user can deny permission to-do this if they want."

I'm sure a lot of these questions will be answered at Mix this week.
 

 

If this has answered your question, please click on "Mark as Answer" on this post.

Thanks,
Page Brooks, MCSD, MCAD
PageBrooks.com | RSS Feed

Thanks for the reply pbrooks.  It doesn't really answer my questions in detail but I have not been able to find more information myself.  Also, from what I have seen, Silverlight's own configuration options appear to be very scant and offer little control over Silverlight's behavior.  If limits can only be set via admin policies, it means that most users will not be able to set them and setting them will probably break many Silverlight apps.  From what I've read it appears Silverlight expects clients to have resources (the "demos" are very sluggish) and disk space to spare and of course developers will assume this.  Sounds like yet another administrative nightmare for us.

Suffice to say that Silverlight will not be installed on any of our systems for a good while, or at least as long as we cannot find much more detailed security / privacy information and are not provided with a lot more control.

Microsoft understands that the goal is to simplify products for end users and administrators, however they go about it in the absolute worst way.  Instead of actually simplifying their products and offerings, they make them ever more complicated and try to cover them up with meager oversimplified interfaces or "wizards" in an attempt to hide as best as possible all of the excessive complexity.  This makes it ever more difficult to manage since we have a harder time figuring out what is actually going on.  And silverlight is a brand new product... I can just imagine what Silverlight and XAML will look like in five years, let alone ten... <sigh>...

Actually, Silverlight isn't all that configurable, because it is already pretty locked down, and there isn't an extensibilty model. You may be able to extend isolated storage, and you can set up cross-app domain policy files on your servers, but the whole zone-based CAS model is out the window. You can't extend (or place further restrictions on) the sandbox. User code is always transparent, meaning that it can't call privileged operations. Ever. No elevation.

We use the browser for just about everything, including the browser cache for download storage, and do our best to restrict what Silverlight can do to what the browsers lets us do.

We have no wizards, helpers, or configuration applets. Please let me know if you have specific questions/concerns about security or privacy.

Dave Relyea [MSFT]
http://blogs.msdn.com/devdave

OK, I see from the orginal post that you do have specific questions. I'll look into those :)

Dave Relyea [MSFT]
http://blogs.msdn.com/devdave

Thanks for the reply and I look forward to and would appreciate answers to my questions.  Those were the first questions that came to mind from the little I read, I haven't had time to put much thought into this; perhaps later, but it would be nice to have a detailed technical FAQ beyond a simplified sales pitch FAQ.  But I do worry when confident developers claim that an app is very safe/secure because the moment there is an exploit they simply claim the app was used in a way it wasn't intended to be used (something testers fail to do).

Dave Relyea:

[...]We use the browser for just about everything, including the browser cache for download storage, and do our best to restrict what Silverlight can do to what the browsers lets us do.[...]

Clearly I know nothing about Silverlight but from the little I did read it appears many web sites contradict what you just wrote.  When we configure the browser cache we specify a size limit and a target directory for each browser.  If what you wrote was true, Silverlight's isolated storage would share this defined space and size limit.  However most web sites that I've read believe that Silverlight's isolated storage is placed in a user's "Application Data" directory and that the only size limit is "1MB per app."; and on top of that, most seem to think that a Silverlight web application running under IE would be able to access it's same isolated storage data when running under Firefox as well!  This doesn't jive with the browser cache concept at all.  I don't know how that is restricted to what "the browser lets us do"?

Please excuse my rant on overly complex MS apps' simplified interfaces and "wizards", but we constantly get crap from users for Microsoft apps as they struggle with them while we struggle figuring out what these apps are actually doing below the surface (which does often seem overly complex; why not keep things simple below the surface?).  It wasn't a Silverlight specific rant... probably timely inspired by our current attempt to introduce Office 2007 which has users screaming at us due to the "simplified" UI.

I don't believe that what I said about isolated storage was inaccurate, but it would probably be best if I write more when I can look at the docs and/or code regarding isolated storage, rather than just rattle off what I remember off of the top of my head.

However, I can address other aspects of security, such as the differences between ,NET 3.5 and Silverlight. In Silverlight, we don't have an adjustable sandbox such as provided by zone-based CAS, which could be considered complex. We have a single sandbox, with no elevation available.

We don't do our own AUTH, and we go through the browser for our downloads.

Dave Relyea [MSFT]
http://blogs.msdn.com/devdave