ActiveX security

[Thomas Dowling]

> From what I understand, while Java tries to ensure a secure environment
> in which untrusted programs can do no harm, ActiveX programs are given
> relatively free rein.  Instead, there are plans to support
> authentication of ActiveX programs so you can know who you are trusting
> when you run one.  (That's the theory, anyway -- personally I'm
> doubtful.  Even if the authentication system could be made to work
> relaibly, I think that naive users would run programs from
> hackers-R-us.org anyway.)

ActiveX is really more an offshoot of Microsoft's development with COM to
assist in inter-application communication.  Grafting it onto the web has
always struck me as an "I wonder if we can make this work" sort of
afterthought.

The current issue of Byte, by the way, includes a sidebar on a completely
legitimate ActiveX control, digitally authenticated by Verisign, which
performs a clean shutdown of Win95 (and warns you that it could just as
easily have reformatted your c: drive).  Verisign authentication is only
checking that the code hasn't been altered, not that it won't do nasty
things to your system.

That's "Bug of the Month" on p. 32 of the November issue, btw.

Thomas Dowling
tdowling at ohiolink.edu
Ohio Library and Information Network