The problem is not in allowing people to decide they want to install potentially dangerous software that is not signed, but in making it too easy to do so.

Most users do not understand that it is not enough to trust the site that they downloaded the software from but also need to trust that no one has used DNS spoofing to get them to download software from a fake version of a site they trust. That is why verifiable signing is important. If an application is signed, then you can be sure it came from the right party regardless of any man-in-the-middle attacks. If you make it really easy for people to install self-signed applications, then all an evil hacker needs to do is to copy someone's popular application, insert some malicious code, post it on a spoofed copy of the website and get people to download it and run it. If the only difference in the installation process for certifiably signed and self-signed applications is the publisher name shown in the dialog, then 9 out of 10 people will go ahead and install it anyway. That is why hackers will like this feature.

I am not saying that people should not be allowed to install self-signed or unsigned applications if they want to, but the process should be different enough and require enough manual steps to ensure that the user has really had the chance to think the decision through and is not just clicking OK on every dialog.

Personally, I really don't understand the benefit of self-signing. Why bother signing at all if the signature cannot be verified?

It does not appear that you read my comment carefully. Did you miss the part about man-in-the-middle attacks? There is no such thing as a "trusted third-party" site without signing or at least https. Users can be fooled into downloading software from what they think is a site they trust but is really a fake. Just wait, and you will see it happen eventually. It is true that authentication is not by itself sufficient as a security tool, but that does not mean that you should just throw it out the window as Adobe has effectively done with this policy. As I said, the problem is not that unsigned/self-signed applications can be installed, but that the process for doing so is exactly the same as for signed applets making it way to easy for unsophisticated users to click without thinking. Obviously, Adobe's real goal here is to make it as easy as possible for people to write AIR applications that end up on people's desktops and are willing to sacrifice end user security in order to to get that.

I can see the argument that self-signing could be useful for testing, but don't really understand how it helps "workflow" or why it would be helpful in an Enterprise setting. You trust the content you download from inside of your firewall because it comes from inside, not because it was signed by a certificate that gets displayed as "UNKNOWN".

I find it really interesting that Adobe is so ignorant of their own Adobe AIR security problems.  I'll explain the problem as clearly and with as much brevity as I can.  Please read carefully.

Adobe AIR applications have full system access to the machines that they run on. This means they can do pretty much anything that a natively installed application can do. They can access any directory they like, overwrite files, modify files, read any file they like and communicate their findings to any host on the Internet. In laymen terms (I'm a laymen so I can't help but talk from that perspective) Adobe AIR offers no security at all. Adobe has offered three extremely lame counter arguments to this including: We sandbox remote code, we never promised you security, and Adobe AIR applications will only be available from established and respected web sites.

1. Remote Code:
Adobe AIR applications have full system access. For example, I could write a tic-tac-toe game in Adobe AIR that installs spyware or writes a rootkit the first time it runs on your desktop. If that game itself accesses remote code after its installed, like a JavaScript program, that JavaScript will be sandboxed, but so what. The actual AIR application is not sandboxed. It's kind of like locking the doors after you invited a complete stranger into your house. It doesn't make a lot of sense.

2. We never promised you security
When the full system access problem is brought up in a public forum, Adobe falls back on the excuse that "we never said it would be more secure than native applications". This is true. While Adobe did imply it was more secure by talking about their remote security sandbox, they never said AIR applications themselves were secure. Our response to this is: "Well, thanks for nothing". You just took everything the industry has learned about security in the Web and thrown it out the window.

3. Now John Dowdell introduces the latest and lamest of Adobe excuses: AIR applications will be available from reputable web sites that you can trust. To which I say, "What are you talking about?" First, why won't Adobe AIR applications be available on other web sites like porn.com or momandpop.com? In fact, if Adobe AIR is successful AIR applications will be available from all over the place. People will not always get them from Adobe Marketplace. The same thing that led to viruses everywhere today will lead to Adobe AIR viruses everywhere tomorrow. People download applications from all over the place and in many cases do not consider the security risk. Second, are these "reputable" web sites like Adobe Marketplace going to vigorously examine each and every 3rd party application made available from their site to ensure they don't have hidden viruses or time-bombs or rootkits. I doubt it. If they do then the market place is going to be very expensive to run and will grow extremely slowly.

I figure Adobe is guilty of one of two things: Either they are incredibly naivete or they think everyone else is incredibly naivete.  Which is it?

"why won't Adobe AIR applications be available on other web sites like porn.com or momandpop.com?"

I'm trying to find your core concern, so that I can accurately relay it to others. My previous guess about the man-in-the-middle/phishing stuff seems wrong, then, because now we're onto porn sites.

Yes, a porn site may offer an AIR app. I wouldn't install it myself. Do you think enough other people will, and that's why "criminals will love it"?

(I would not expect much in the way of third-party distribution sites, not when AIR delivery can be done so easily directly.)

"I figure Adobe is guilty of one of two things: Either they are incredibly naivete or they think everyone else is incredibly naivete. Which is it?"

Yes, I stopped beating my wife. I mean, no I didn't stop beating a naif, no I, wait....

Summary: If you've got a reason "Why Criminal Hackers Will Love Adobe AIR", then I'd like to know what it is well enough to warn others, if needed.

jd/adobe

I think this has been explained ad infinitum. Anyone with a modicum of computer security experience will understand these issues. You clearly are not such a person, but I have no doubt that Adobe has several such people so there is no need to maintain the pretense that you need to pass on any warning to them. Adobe knows exactly what they were doing with this security policy: they are compromising end-user security in return for more AIR downloads. It might even be a good business decision for them. By the time there is the first publicized exploit they will probably manage to get AIR on a lot more desktops and can just issue a security patch to implement the behavior they should have had in the first place. After all, the numerous security flaws in Flash through the years have not prevented it from ending up in everyone's browser.

It's obvious what the problem is -- that no security is provided -- but the exact same thing happens if I distribute a Java app via Webstart (or via download, like my www.confusionists.com/handsonic) or if I distribute a .Net app (as I do with www.thekbase.com). What would be the "first publicized exploit?" You mean, a malicious application?

My question is, what kind of solution do you want? Most users who have a personal firewall installed say "yes" to every access request, because otherwise STUFF DOESN'T WORK. There is no simple answer to this. Imagine an app that says, "this so and so app wants to delete some stuff from you /opt/whosit directory. Is that okay?" How should a user respond. As computers are being used by more and more people, more and more people do not know what their filesystem looks like.

A real solution -- for AIR, like for .Net or Java or native applications -- would include some kinds of security levels or something (i.e., the sandbox would have to be comprehensible to the end user). But what would it require of the user? What kind of user would be able to benefit from it?

We have all types of malware because OSes (and VMs) provide a service, which can be used for evil as well as good. Security is really really hard stuff to do, because we want our OS or VM or whatever to continue providing a service. Critics are everywhere but solutions that are viable for the masses are few.

Excuse my naivete and getting to the conversation late. I'm just thinking of using AIR for my next app and happened to have found this thread.

a couple random thoughts

as i was reading through the article and associated comments .. i played a little game where every time i saw a reference to Adobe AIR i replaced it with something like Java or .Net .. i found that most of the statements were just a valid with these replacements (Daniel touched on this in his comment) .. essentially the singling out of AIR, in this context, is frivolous.  i might have preferred an article titled "Why Criminal Hackers like the amateur software trade" or on a less negative note "Why Criminal Hackers hate curl" .. it seems like that article might have better addressed the issues inherent in our current software distribution model and even possibly offered some solutions for both future software developers and developers with large existing code bases or other extenuating circumstances that prohibit them from changing development environments.

now there are 2 conflicting dichotomies that make the above topic difficult to discuss ..

firstly, we have "Casually loaded Internet gadgets" vs applications that need system access .. (for the sake of this discussion we will pretend that there is no area of gray between these two) .. I think most would agree that the gadgets have absolutely no need to run outside of a secure sandbox of some kind .. I personally would agree that most applications don't need any more access than those gadgets do .. but that leaves us with applications than need system access ..

which bring us to our second dichotomy .. professional software vs amateur software .. a company, in the case of the type of application that needs system access, can do the whole signed application / certificate thing to prove their software is 'legitimate' .. but a weekend developer, just trying to get his/her stuff out there for people to see probably doesn't have the cash (or desire to spend the cash) to 'verify' their software .. i understand that an end user can still download and install this software if they "agree to a pretty scary warning" but ..

a company that i was working for allowed users to place links to external sites on their profile .. now obviously, within the first week some malicious users took advantage of this to redirect naive users to password mining copies of our login page (despite copious warnings against trusting links on a users profile) .. so then, every time a user clicked on an external link .. we popped up an alert, notifying the user that he/she was navigating off the site .. (almost no change in the number of accounts compromised in the above manner) .. next step: every external link went to a page where, on a red background, bold text notified the user that they were leaving the site .. (only slightly fewer passwords were compromised)

when you are in an environment that offers both limited-secure and unlimited-nonsecure interactions .. you have to trust the user to apply their better judgment to the situation .. unfortunately, and don't get me wrong .. i love the little scalawags, users don't want to read your important warning message

(as a side note, on the point of signing .. while great for 'man in the middle' hacking .. i feel the need to point out that once, on a lark, a few of my friends and i chipped in on getting a piece of malware properly signed through Verisign.)

ok .. last thing .. then i shut up:

software development is a landscape of ever changing topography .. and right now, one of the prominent features of that landscape is amateur developed applications .. we see this on sites like face book, and in the casual gaming community .. really all over the place .. in the past, the lion's share of our interactions with this 'software' was mediated by a browser, and the sandboxes that come with it .. but this has been changing .. people don't always just want a little freeware gadget or game .. there are applications now .. and some of these applications cannot be run from a locked down sandbox .. and this obviously has the potential to cause a lot of damage .. but it also breaths a lot of new life into the software development community

now we could solve the above problem by creating a solution in a single language, and bullying everyone else into using it .. but even if you could get everybody to agree on your solution .. one of the big reasons multiple programming languages exist is that they all solve for different problem domains .. furthermore, those problem domains evolve over time .. so the likelihood of your solution or language still being applicable (or even existing) in 20 years is pretty low

it seems to me that if we are really intent on making the software world a safer place for users to navigate, we need to focus on a solution that is language (or even context) agnostic .. maybe it's a lightning fast virtual runtime that can encompass any VM and act as an internal firewall who's rules are set by an external team of experts (like modern virus software) .. or some topographical change to the way we build operating systems that separates 'secure' actions from 'insecure' ones .. or even a system that can cleverly trick users into learning enough about how their computer works to make informed decisions when those crazy popups tell them that they have to make some arbitrary seeming choice .. I believe that solution to be Adobe Air .. just kidding .. i wanted to see if anybody was still reading at this point .. to be honest, i have no idea where such a solution might sit .. security isn't my milieu.

-- me

rwizard, I ended up here for the same reason. I started to d/l the Media Player and noticed that AIR would be installed (whether I wanted it or not). Well, I didn't want something 'unknown' so I started looking for info about it. I agree with you 100% (and I'm just an end-user with some certifications, A, Network, iNet+, etc.) I work very hard to ensure that I don't end up with a lot of things on my computer that I didn't d/l or install, and (knock wood) this ol' computer has been running for years and years (too poor to replace it, LOL). Thanks to rhh for your info and to the adobe writer for his/her feigned? transparent? ignorance. Even this non-programmer could see how providing system access to code available to literally any programmer provides system access to literally any programmer. Doh.

The fact that the application has to be installed is a pretty significant "opt-in" on the user's part. Most malware that I've seen doesn't even have to be installed. It's much easier to get a user to run a stand-alone executable than to get he/she to complete an install process that puts an executable into the user's applications directory (which is all an AIR installer really does).

Well Mr. Author,

Can you tell me that when we download any program made in any language like C,C++,Java ,Python , etc .. Do you get any Verisign kind of security certificate with every produt , NO they don't pose certificates but still all of us download them and use them , What if those Apps poses Trojans or malicious code ???

And AIR Apps use limited OS services only , You can't exploit infected system massively .

So Better think thrice before posting any such comment for any technology , specially if you don't know about this .

Yes this is a generic problem for many ways of delivering software, but security is becoming an increasingly important problem.  So platforms like Curl are offering ways to provide powerful applications from unknown authors while allowing the user to have some confidence that they are avoiding a security threat.  I don't trust amateur software anymore, and would feel more secure if the amateur software was delivered using a platform like Curl.

Btw, sorry for typos. Using iPhone and it's bloody annoying autocorrect feature.

Richard, Thanks for the 'straight' common sense. I spent allot of time dealing with what I have to see now as a 'victim'. Have been desperately needing full use of my computer to find a job and access years of machining 'portfolio'.

I've been a CNC Programmer over 30 years; no doubt it was allot easier back in the days using an IBM 370 or even a PDP-11; either mainframe used as a 'tool' to focus on the task, reducing workload and improving life with more leisure time. Now it seems my lesiure time is spent prying 'Corporate greed' out of my computer (ietoolbox) so I can improve current situtation that is more their fault than mine.Is it just me.......? Was getting frustrated now I'm ___.  What follows is email to some my 'contacts' as a 'heads-up' and a 'lampoon'.   Final draft is going to My Congressmen.  They've lost me; Adobe will be replaced! Charles

Damn, I spent all day 'cleansing' my 2000Pro desktop!!  Over the last month, I've been faced with a steady decay in oper system stability, processing speed, and website functionality. Unusual Memory dumps, system freezes, file corruptions, loss of website and server  connects...... all looming with much greater frequency.... First thing I recall noticing was some 'major' websites that I visit on a daily basis were oddly varying in appearance and format; were missing 'scripts' in now blank fields and had their usual navigation links
unreactive or absent.............Even Firefox 3.5 started crashing regularly ... Without any real apparent cause I vaguely assumed that recent website modifications had been implemented to enhance the 'Vista' users experience and were non-compatible in a Win2000 environment .........OK, Don't ask me why I'm still using 2000 in response to requests for IT help I've posted! Just call me a dinosaur, punk!
I was just about to re-format boot drive and change over Oper system to XP-Pro when repeatable 'crash' of any .PDF file was observed upon scroll to next page regardless of ..........OK,  What is 'jacked' with  Adobe Reader that is common to both web and local drive .PDF files???  I Found the 'Rat'.  About a month ago, I casually updated Adobe Reader from 9.0 to 9.1.  using Adobe's website....Well, true to various critical complaints raised about their pricing policies ( see Wikipedia "Adobe Systems-criticism") and manipulative practices of implementing software platforms that are more focused for their and their corporate client's 'revenue generation' (BY DESIGN) then they are a useful application to the 'sucker' end-user.
That RAT's name is ADOBE AIR (now auto-loaded with only 9.1 'update' to Adobe Reader  made available).
From: Wikipedia "Adobe Air"  ......a rich Internet application deployed in a browser does not require installation, while one deployed with AIR requires the application be packaged and installed to the user's local file system. However, this provides access to local storage and file systems, while browser-deployed applications are more limited in where and how data are accessed and stored.

Adobe AIR 1.1 was released on June 16, 2008, and provides support for building internationalized applications. Runtime installation dialogs were localized to Brazilian Portuguese, Chinese (Traditional and Simplified), French, German, Italian, Japanese, Korean, Russian and Spanish. In addition, version 1.1 includes support for Microsoft Windows XP Tablet PC Edition and 64-bit editions of Windows Vista Home Premium, Business, Ultimate, or Enterprise. (I know it doesn't support 2000, learned the hard way!!!)

AIR applications can operate offline, and then activate further functionality or upload data when an active Internet connection becomes available. One example is eBay Desktop,    That's called a "TROJAN HORSE": %^$%&^%*( Honey, get my ______ )
  
SEE:/blogs/community_blog/2008/04/16why-criminal-hackers-will-love-adobe-air