Potential Security Issue - Native Client Launcher

Hello Forum,
I would like to draw everyone’s attention to the Native Client Launcher.
If you haven’t ever used it, I suggest you check it out. Here is a link to the help page for reference.

I believe that this could pose a potential security risk. Not in the form that someone could get in and access the internals of your system, but in the sense that outsiders might be able to find out information about your organization by seeing the names and descriptions of your projects.

Several examples:

  1. A large company is confidentially testing out a new piece of software, and they name one of their Ignition projects accordingly. If someone used the Native Client Launcher, they might see the name of the new software which would breach the confidentiality of the software test.

  2. An integrator has several projects which are named for their different clients. A competitor could potentially find a “client list” by accessing their project names through the NCL. Additionally if there were any project names that indicate work on a potential improvement or strategy they were working on, those would be exposed.

There are many reasons why one might need to allow external internet traffic to their Ignition server. (Mobile client access without a VPN, for one)
There already exists the ability to remove project names from the gateway webpage. Why not from the NCL?

Since IA is migrating away from JNLP files and wholly to the NCL, many more people will become familiar with it and begin to use it.

I am curious if anyone has any ways to prevent random people from viewing a list of projects with the NCL on a server which MUST be accessible from the general internet.

I realize that port obfuscation is an option, but that port must necessarily be shared to users which makes it relatively easy for it to get out in the open.

Additionally, I have created an idea on the ideas.inductiveautomation.com site. Check it out and upvote it HERE.

IA’s response from support regarding this issue was:
“…I checked with one of our developers and they were not aware of any plans to provide that functionality.”

I’m curious of people’s/organizations’ level of concern regarding this issue, and suggestions for fixes / workarounds.
(Obviously, my level of concern is HIGH)
As an aside, I am almost certainly going to have to anonymize all of my project names and descriptions.

Thanks for the feedback,

For now you should consider the project list public information. You don’t even need the NCL - the list is available at http://<yourgatewayaddress>:8088/main/system/projectlist.

It may be possible when we refresh the Native Client Launcher to allow you to “bookmark” projects once it has seen them listed, or to allow a project to be specified manually by name (there’s other information it would then need to fetch based on that name, which means it would be public info if someone had the name - jvm args, memory settings, window mode, etc…). With this in place it would be possible to allow the project list servlet to be disabled.

I may be missing something else - I’ll chat with my colleagues tomorrow about this.

I guess my concern isn’t only limited to the Native Client Launcher and should be separated from it. My concern is project information being available on the web without having to authenticate. I am still curious to hear other users’ opinions.

Is there a list of URLs that are available without having to sign in?

We are working on a “gen 2” NCL which will allow launching of a project without the need for the NCL to discover its name - when this is done we can properly allow projects to be “hidden” so that they do not appear in the project list endpoint.

Until then, Kevin is right, do not consider your project names as confidential. Anyone with a network route to your gateway can see them.

Just enable security on all gateway pages. Then you are forced to log in to view anything. I force all users to use NCL, so I disable all GW access to only allow admins.

Also, you can disable the “listing” of the project in the list within the project properties. We do this routinely for “private” projects or debugging tools.

There are a lot of options already in my opinion and I am sure with a lot of the new ACL security and security zones, it will get better over time.

I am pretty sure that project names will not be visible from most places if “Hide From Launch Page” in “project properties client launching” is selected for all projects that should not be seen.

I have done this on my gateway, and it doesn’t block access to the project list in the NCL or in the /system/projectlist that Kevin mentions above.

I agree that they will not be visible on the gateway, but they are still visible through the NCL and the above mentioned link.
While “most places” is better than no places, it’s still not “secure” from my perspective. I have gone ahead and started randomizing my project names.

It also occurred to me this weekend that with the NCL anyone will be able to launch any project and be able to see the login page even if they can’t get logged in. This means that I will need to wash any project specific information from my login pages as well. (Logos, etc.)

Login pages? Are you using auto-login + your own login window?

I tried this morning to hide a project from within the Designer as shown below, and it definitely did not show up in the NCL or the system/projectlist page after saving the project. If you can still see the project from the NCL after doing this, it’s something we need to look into.

1 Like

No, I mean the vision client login page, where you can give a welcome message and put in a custom image.

@mgross1, THANK YOU!
That seems to have hidden it from the /system/projectlist page as well.
I had disabled everything from the HomePage,

but I hadn’t noticed that option.

@Kevin.Herron, @Carl.Gould if I select that option, can I consider my project names securely hidden from the rest of the world, or are there still other ways to get that information?

FWIW, project enabled/disabled governs whether that project’s transaction groups and gateway event scripts work.