Re: Is Active-X really so bad?

chris_at_nospam.com
Date: 04/12/04 

Date: Mon, 12 Apr 2004 04:43:10 GMT

On Sun, 11 Apr 2004 19:30:47 -0500, dpuryear@usa.net wrote:

>On Sun, 11 Apr 2004 23:31:00 +0100, Jackeline D <jenny@privacy.net>
>wrote:
>
>>As a bit of background, I found this:
>>http://www.cs.princeton.edu/sip/java-vs-activex.html
>>"The main danger in ActiveX is that you will make the wrong
>>decision about whether to accept a program."
>>
>>Is that the main danger? That's all? I can live with that!
>
>Here's the deal. Security with ActiveX is based on whether or not the
>user trusts the provider of the ActiveX component. Do you know the
>history of each provider? Are you confident in the security of their
>networks and how they manage and store their software releases?
>
>If you allow by default all ActiveX components then you are explicitly
>trusting all providers, even if you don't know who they are.
>
>To put it in another form: Would you trust someone you don't know to
>stay in your home while you are away on vacation? If not, why would
>you trust an unknown provider's software to run on your computer?
>
>I would like to see ActiveX rely on a *total sandbox environment* and
>to use end-user acceptance as a final sanity check and as an "okay" to
>run.

Given the multitude of ways to breakout of the sandbox in IE, this
isn't acceptable either. What you really want is a standalone browser
that has no power to alter the system. Or the real answer would be to
dump IE, but I keep running across sites that don't display correctly
on standards-based browsers.

-Chris

Relevant Pages