[Previous] [Next] [Index]
[Thread]
Re: ActiveX security hole reported.
>The question I have is "If this had been signed by an "authoritative source"
>(such as Microsoft), would these dialogs pop up in the first place?
>
>An example would be if I worked for company X, wrote an app that read off
>all the names on your PGP keyring and had it signed by the appropreate app
>signing service, would there be any waring for the "victim"?" Probibly not.
>
>The problem with the ActiveX security model is it assumes that you can trust
>the company who is doing the signing to be operating in your best interest
>and be vigilant for dangerous and bad apps. I do consider pleas to
>authority to be a good security model. There are far to many people with
>far to many motivations to have this model add to my level of security.
>
>At least Java tries to prevent these apps from being able to be written in
>the first place. Active X says trust an app signed by Microsoft and
>anything they want goes. (I trust Microsoft about as far as I can throw a
>General Protection Fault.)
>
>The ActiveX security model is not a security model. It is an act of
>religious faith.
Actually, to answer your question at the beginning. IE, does come up with a
dialog if the certain activex control was signed and not verifyed through
you. And if it was signed, you can check the signiture before you run it. So
personally i think it is not all that great that this can happen, BUT it
opens the doors to what a real activex author can do. To have somebody go
out and cry because they were to stupid enough not to check the signiture is
sort of dumb is it not??
Think about it people is there not a level of stupidity that reigns here??
Sean Robert Wilkins
Student , Staff, and the intelligent tech guy.
(SRW134@PSU.EDU)
Msg me for Public Key
Key fingerprint = 65 8B 83 06 63 AB B3 CA 55 59 81 1C 27 B3 B1 4C
LTR
---LTR---
Follow-Ups: