On Sun, 30 Apr 2000, you wrote:
>Windows is not incapable of priviledge levels or access restrictions. It
>is merely installed by the typical user without any. That is a matter of
>laziness rather than lack of capability. Any proper and secure ActiveX
>installation should allow you to set up such security (which would also
>alleviate a lot of the other security holes typical of windows use to
>access the internet.)
>
>However, lets say you create a runtime to run ActiveX on a linux/unix
>environment. Because that environment specifically allows priviledge
>levels and access restrictions, you can build this capability into the
>runtime, such that it can interpret an ActiveX applet as being a user,
>group, or world level of access, and ban root from executing ActiveX.
The point I'm making is that ActiveX has a security model based on
trust and authentication, rather than by restricting what an applet is
able to do. This was a conscious and deliberate design decision, and
Microsoft has never pretended otherwise or represented ActiveX
security as analogous to Java sandboxing.
>From Microsoft's 'Facts about ActiveX' at
http://www.microsoft.com/security/bulletins/actxclar.asp:
"Software can be designed to provide great value and improve
productivity. But it can also be used to create malicious programs
that can do harm. As with any versatile technology, there are
important trade-offs to understand about software downloaded from the
Internet. Building a program with the utopian "guaranteed"
security that Sun promises from the Java sandbox would also severely
limit the functionality of the application, thereby crippling the
developer's creativity and limiting the user's options. (The sandbox
is an environment where Java applets run. Applets running in a sandbox
have very limited functionality because they cannot access resources
on the user's system.) Imagine, for example, a check-writing
application that couldn't even save files to your disk but instead
required you to re-enter the information each time you wrote a check."
"The only way to provide users with both the most positive computing
experience and maximum security is to adopt a model based on trust. A
trust model identifies the certified provider of a program and then
allows users to decide for themselves whether to trust that provider.
This model allows developers to create the most innovative
applications, and allows users to realize the full potential of their
computers while still maintaining an appropriate level of security."
Certainly an executable can be sandboxed as effectively as bytecode,
given sufficient operating system support. But that isn't the way ActiveX
works, or the way it was ever intended to work. I come down on the other side
of that particular design decision - in my view 'trust' requires eternal
vigilance, the cost of which in practice is indifference. How many times a day
do you click away the 'Anyone could read what you just typed' box while dealing
with forms? Have you ever refused anyone's authentication certificate? Now, of
course, I have only myself to blame if something gets though - but I don't find
that a particularly great comfort.
-matt
This archive was generated by hypermail 2b29 : Thu Jul 27 2000 - 14:10:02 MDT