Re: ActiveX security hole reported.

• To: www-security@ns2.rutgers.edu
• Subject: Re: ActiveX security hole reported.
• From: garym@softshore.com.au (Gary Meltzer)
• Date: Wed, 14 Aug 1996 13:50:31 GMT
• Cc: Stephen Cobb <stephen@iu.net>
• In-Reply-To: <1.5.4.32.19960814135426.005a64b4@iu.net>
• Organization: Soft Shore Industries Pty Ltd
• References: <1.5.4.32.19960814135426.005a64b4@iu.net>

I appreciate the points that Stephen Cobb raised.

What I was alluding to was that untrusted ActiveX software will never
be secure enough for some, but that it has more appropriate applications.

HTTP, HTML, Java and ActiveX program ever more powerful virtual machines.

As long as the browsers allow the information consumers to draw the line
somewhere, are shipped in a secure state, and the vendors don't stack
their home pages with temptations to change that state, then I have no
problem with any of the above technologies.

Unlike gunpowder technology, these WWW technologies can require the
recipient to agree to be damaged.  This seems to make them secure enough.
The hole in this, as Stephen has implied, is that the compliant recipient
may be an individual, while the damage is done to a corporation.
This should be avoidable using corporate proxy-servers and filtering
routers.

One improvement I would like to see in browsers is the capability of
enabling cookie/Java/JavaScript/ActiveX features by domain names.

- G.

• Re: ActiveX security hole reported.
• From: Stephen Cobb <stephen@iu.net>

• Previous: Re: ActiveX security hole reported.
• Next: Re: ActiveX security hole reported.
• Index(es):
  • Index
  • Thread