Re: ActiveX - Arrogance rules (fwd)

• To: Alan Olsen <alano@teleport.com>
• Subject: Re: ActiveX - Arrogance rules (fwd)
• From: Paul Phillips <paulp@go2net.com>
• Date: Sun, 18 Aug 1996 18:20:17 -0700 (PDT)
• cc: www-security@ns2.rutgers.edu

-----BEGIN PGP SIGNED MESSAGE-----


On Sun, 18 Aug 1996, Alan Olsen wrote:

> [Evil marketing droid attempts to collect personal data via ActiveX 
>  component.  Said cretin has big enough company name that trust is
>  probably automatic.]
> 
> ActiveX does not have a good security model because the above is possible.
> You may say that the above will not happen because of ethical concerns in
> that company.  (I have worked for companies that would do things far less
> ethical if given half the chance.  (They are in court now for some of
> them.))  Given that few (if any) people actually disassemble the apps that
> run on their machine, the chances of getting caught are slim to none.

Only one person has to recognize that the ActiveX control is performing 
nefarious background activities to blow the whistle -- and that is one
gigantic whistle.  I do not have to provide an appeal to ethics to show
that this simply will not happen with large companies.  Self interest is
enough.  Do you have any idea what kind of publicity machine would come
down on a company that did this?

I am not defending the ActiveX security model, but you are positioning 
the signing of code as worthless, which I do not accept at all.  The only
acceptable security model to me, after having watched this for a long time,
is a combination of fine grained controls over specific actions that are
enforced by the execution environment, and user-definable loosening of those 
controls based on cryptographic signature and the specific needs of their
environment.

Java provides reasonable security but is currently impossible to loosen, 
and is strikingly vulnerable to implementation bugs by browser authors
because it is normally on by default.  ActiveX in IE will now refuse to
execute unsigned controls unless it's turned off by the user, which makes
it less of a problem to the hugely naive but is definitely going to burn
a lot of people who have just enough knowledge to be dangerous.  Further,
this puts too much power into the domain of those keys, which if
compromised could lead to disaster.

We're a ways from a solution without warts.

- --
Paul Phillips <paulp@go2net.com>
Vice President, Technology
go2net, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMhfBV5vrC979W0jVAQECfgQAgcRJ2r0KyGSwu5c9UHEqUlkUWjO+xgp9
eA+cjV+w3Z1ExBFVbu6y57EfmNoeZoCouakElUzI5dComMMy+rwmfPoT4xWsnguy
VoqdUOhQ3OHdIgGfi+z6svZoCkbCIYWFWpbn9+Q5vwRff/MtZJmfla/S+XCHE9wE
gBCspGsPyIo=
=/DHM
-----END PGP SIGNATURE-----

• Previous: Re: ActiveX - Arrogance rules
• Next: Re: ActiveX - Arrogance rules
• Index(es):
  • Index
  • Thread