Uggh. So if you go to http://pack.google.com
It's a site that suggests which google products you might want to download, and creates a bundled download to grab them all at once. The creepy part is: Just by going to that site, it shows you a list of possible options, and says "You already have the following ones." This page does not use ClickOnce. So how can they tell what programs I have installed on my laptop, just by viewing their webpage? From: discuss-boun...@lopsa.org [mailto:discuss-boun...@lopsa.org] On Behalf Of Edward Ned Harvey Sent: Sunday, December 13, 2009 10:36 AM To: 'Jonathan Angliss'; discuss@lopsa.org Subject: Re: [lopsa-discuss] Chrome Download Creepiness anyone? Yes, it's easy to see by viewing page source at Google's chrome download page, that it is installing via ClickOnce. Thank you, Jon, for the suggestions. Their javascript detects whether ClickOnce is enabled or not, and if it is, obviously use it. And if it's not, then they present you with a "normal" download dialog. According to (this <http://www.leastprivilege.com/BewareBeAwareOfClickOnceDefaultSettings.aspx> page) ClickOnce features the notion of a "trusted application" - technically that means that the certificate used to sign the manifest is also imported into the "trusted publisher" certificate store. Trusted application totally bypass the elevation/trust prompt and get whatever permissions they like - so even if you set permission elevation to "disabled" for a zone - trusted applications will be able to elevate. If you are not comfortable with all this, I'm sure there's some way to disable it, but I don't know how yet. Personally, I would like to learn how to disable it, but leave it enabled by default for most of my users.
_______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
