Hi there, we've written a gadget that links out to multiple URLs in a variety of different ways. Recently we received feedback from someone at Google that our "download the latest version" mechanism is susceptible to man-in-the-middle attacks. They recommended using framework.openUrl instead of the activexobject, and also using https instead of http. They said it was a critical flaw in the gadget, and must be fixed before publishing.
Fair enough, I'm all for fixing security holes. However it's confusing that they only seemed to care about our "download" mechanism, even though we clearly have multiple other URLs that open via the same mechanism (i.e. a browser), and are also not secure. So I have some questions which I'm hoping someone will be able to shed some light on! 1. Is there anything about framework.openUrl that is inherently more secure than using the activexobject? Are there any other differences that might make one more advisable than the other? 2. Should all URLs opened in a web browser from the gadget use a secure protocol? 3. We're also using XmlHttpRequest for asynchronous transmission, hitting non-secure URLs. Is there something safer about XmlHttpRequest that would explain why the Google peeps didn't flag it as a security risk? In case anyone's wondering why we don't just ask the people who made the recommendation originally: we are, but I have low confidence in quality of communication with them :) Unfortunately the message we received has been filtered through many different (non-technical, I'm guessing) people, not to mention 3rd party companies. I was hoping someone here would have a faster and clearer answer. Thanks! Elaine --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Desktop Developer Group" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Desktop-Developer?hl=en -~----------~----~----~----~------~----~------~--~---
