login      my ps      about      contact  



home instructor-led training on-demand screencasts blogs


Security Briefs » Windows Live OneCare Firewall and Software

Windows Live OneCare Firewall and Software

Security Briefs

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Keith's books

Misc

Recent Articles

Archives

I've recently installed Windows Live OneCare and generally have been very happy with it. I'm using the Family Safety option to help my kids access the Internet safely. But one thing that's been bugging me is the outbound firewall.

If your software is signed with a code signing cert issued by an authority that is trusted on the machine (e.g., Thawte, Verisign, etc.) you're good, because the firewall will automatically allow your software to access the Internet. But if you don't want to shell out the hundreds of $$$ it takes to get one of these certs, especially for homebrew software, you might try to do what I did and tell the OneCare firewall about your app. Under Advanced Settings, you can point at your EXE file and tell the firewall to allow it to make outbound connections. Sadly this doesn't seem to work very consistently. Here's a sample program that I could sometimes get this to work for, and sometimes not:

using System;
using System.Net;

class FetchMicrosoftHomePage {
    static void Main() {
        byte[] data;
        try {
            data = new WebClient().DownloadData("http://www.microsoft.com");
            Console.WriteLine("Microsoft's home page is {0} bytes long", data.Length);
        }
        catch (WebException x) {
            Console.WriteLine(x);
        }
    }
}

I've spent about an hour trying to figure out why I can only sporadically get the firewall to recognize this program, and I'm done now. FWIW, when it's not recognized, the firewall outputs a log message like this (you need to turn on detailed logging to see this, BTW):

There's a lot of people who will argue that an outbound firewall is useless, especially for non-techies. And a lot of people will argue the opposite point. I'm not here to argue either of these points, but I can say that this type of behavior makes it pretty hard for even highly technical people to use.

Since I'm personally in the, "outbound firewalls aren't that useful" camp, I fixed the problem on my own machine by adding four rules that allow all outbound TCP and UDP connections to all ports (I figured I needed four, since each rule only allows one protocol and you have to pick between local subnet vs. Internet). Then I shut off the prompts for "blocking" programs and everything seems to be working fine. But I wonder how many software developers will be running into deployment problems in home environments where lots of users are running this firewall.

Posted Jan 10 2008, 07:37 AM by keith-brown
Filed under: ,

Comments

Scott Seely wrote re: Windows Live OneCare Firewall and Software
on 01-16-2008 4:58 AM
Keith--

Just want to disabuse the notion that code signing is in the hundreds of $$$ realm. John Robbins recently posted about getting a code signing cert for $80/year. http://www.wintellect.com/cs/blogs/jrobbins/archive/2007/12/21/code-signing-it-s-cheaper-and-easier-than-you-thought.aspx

Still not free, but it's not a killer cost either.
Keith Brown wrote re: Windows Live OneCare Firewall and Software
on 01-16-2008 5:33 AM
Scott,

I can get a code signing certificate for free by issuing it myself. But you need more than a code signing certificate - you need one that was signed by a CA that's trusted by all of your customers.

A quick scan of the blog entry you mentioned shows that Jon had to explicitly install Comodo's CA certificate into his trusted root store:

"I had some trouble with registration process at Comodo. Make sure you add https://secure.comodo.net to the list of trusted sites in Internet Explorer so they can properly get you registered and install their trusted root certificate on your computer"

That's not an operation your setup application should be performing on a customer's machine, IMHO.

So I'm not sure I buy Jon's argument that code signing is cheaper than you thought. If I'm going to sign stuff for my own personal use, I'll use a cert that I issue, and it'll be free. But if I'm building commercial software that will be installed on other people's machines (who don't necessarily trust me), I'll stick with VeriSign, Thawte, and friends, since my customers already trust those CAs.

A personal rant on the bigger picture: code signing is ultimately pretty silly. Does my mom really "trust" VeriSign? Would she really care if I installed my own self-issued CA's cert in her trusted store? Would she have a clue what that meant if she were warned about it? Frankly the whole business seems ludicrous to me because the user ultimately has to decide what she trusts and what she does not. IMHO, all code signing does at the moment is keep VeriSign in business. End rant.

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation