Post #18,829
11/19/01 3:00:55 PM
|
Interesting list
Well, what would you have them do - trust nobody and get no useful work done? Wasn't that the original Java applet model? Wasn't it eventually extended to support authentication via trusted applets? Any idea why? The JVM security model is based on a sandbox, where the granularity of the authentication could be controlled. I can trust an Applet for things such as printers, but block it from disk access. Active-X, OTOH, is an all or nothing proposition: Either you block it, or you give it access to everything - no choice in between. I suppose one can make the case that Java failed based on performance and features. But one can also make the case that ActiveX failed because of it's flawed security model. I'm surprised to learn that ActiveX is such an unsuccessful technology. After all, right here on my machine are RealPlayer, Acrobat Reader, Flash, Shockwave, and several other popular ActiveX components, and those are just the ones I downloaded. The total list of ActiveX components on this system easily numbers in the hundreds, and includes such abysmal failures as Media Player and Internet Explorer. I'm shocked! Last I heard, Microsoft was promoting IE as a core part of the Operating System, not as some downloadable Active-X component. In most cases you cite, these programs are not really confined to the Active-X framework (with the possible exception of shockwave). Yes some of them are participants in Active-X, but almost everyone of them are really just executable programs that you downloaded or installed just like any other native program. Don't believe me? Then go check the installation directories for these programs - likely scattered in the Progra~1 and system32 directory. Now tell me how many of these programs are confined to the "Windows\\Downloaded Program Files". I see Shockwave and you'll probably see a few others. Of the list you cite, how many are confined to this directory - and hence qualify as Active-X success stories?
|
Post #18,833
11/19/01 3:26:01 PM
|
Oh, so it was YOU!
Of the list you cite, how many are confined to this directory - and hence qualify as Active-X success stories? Murdarah!!! Christian R. Conrad
The Man Who Knows Fucking Everything
|
Post #18,842
11/19/01 4:04:06 PM
|
rephrasing?
So, I guess I should rephrase it. How about teen speak - Of the list you cite, how many are confined to this directory - and you know qualify as Active-X success stories? or would you prefer a great white north spin - Of the list you cite, how many are confined to this directory - and eh qualify as Active-X success stories? Ok, so I'd need a bunch more 'you know's and 'eh's to make it realistic. How about a substitution of: thus; therefore; so; ergo; consequently; subsequently; correspondingly; accordingly? Any of those work and hence get me off the hook? :-)
|
Post #18,952
11/20/01 12:04:39 PM
|
I take it you *do* know what I'm referring to
Da Crittah: How about a substitution of: thus; therefore; so; ergo; consequently; subsequently; correspondingly; accordingly? Any of those work and hence get me off the hook? :-) Well, yeah, they *would* have... Except, of course, you leapt back on it! :-) Anyway, I assume you got the reference: It was to the Boulder (Wasn't it?), CO, Police Dept -- who claimed that someone's (her parents, IIRC?) use of that phrase "proved" that they were the ones who (abducted and later?) murdered that kid, Jon Benet Something (Ramsey?). (Having, in the interim, sent a ransom demand or something, containing the "unique" -- yeah, right! -- phrase "and hence".) You may have seen me, too, use it, only the other day -- I guess that I kind of reminded myself of it, then, and hence pounced on it now... Anyway, that's the most moronic piece of police "evidence" I've ever heard of. Still pisses me off, apparently. Christian R. Conrad
The Man Who Knows Fucking Everything
|
Post #18,872
11/19/01 7:17:48 PM
|
Re: Interesting list
The JVM security model is based on a sandbox, where the granularity of the authentication could be controlled. I can trust an Applet for things such as printers, but block it from disk access.
The person to whom I replied criticized the ActiveX component signing model for being too much of a hassle for the average user. If you agree, do you not also agree that setting up trusted applet policies is even more of a hassle? Active-X, OTOH, is an all or nothing proposition: Either you block it, or you give it access to everything - no choice in between.
Not quite. ActiveX components run with the browser's account permissions. You
can always run the browser under a restricted account, thereby letting the OS
set up the sandbox. In fact, account permissions are typically much more
configurable than applet policies. I suppose one can make the case that Java failed based on performance and features. But one can also make the case that ActiveX failed because of it's flawed security model.
I disagree completely. ActiveX is a code packaging and delivery technology. Its only responsibility in terms of security is to provide secure transit, which is exactly what it does with component signing. Java-style sandboxing is brain-damaged because (a) the OS already provides permission-based security, and (b) the whole point is to take advantage of client resources. No wonder Sun eventually provided ways to poke holes in the sandbox. In most cases you cite, these programs are not really confined to the Active-X framework (with the possible exception of shockwave). Yes some of them are participants in Active-X, but almost everyone of them are really just executable programs that you downloaded or installed just like any other native program.
Hardly. All of the things I mentioned run embedded within the browser or any other application supporting COM/OLE containment. "Regular" executable programs don't do that. Don't believe me? Then go check the installation directories for these programs - likely scattered in the Progra~1 and system32 directory. Now tell me how many of these programs are confined to the "Windows\\Downloaded Program Files". I see Shockwave and you'll probably see a few others. Of the list you cite, how many are confined to this directory - and hence qualify as Active-X success stories?
I reject the notion that ActiveX components must be installed in any particular place to qualify. That's not what makes them ActiveX components - it's the ability to run embedded within ActiveX containers.
|
Post #18,884
11/19/01 8:54:10 PM
|
Viruses and verified security holes
The long list of viruses that can transport themselves using ActiveX, and the long list of security holes that ActiveX is known to leave people open to is reason enough to not write home about its security model.
Corresponding lists for Java are much, much smaller. Yet Java is more widely deployed in browsers than ActiveX!
That alone stands as darned good evidence that ActiveX is substantially worse than Java. Create all of the theories you want for why ActiveX is not as bad as it looks, concrete evidence strongly suggests that ActiveX is unhealthy for your computer.
Cheers,
Ben
|
Post #18,940
11/20/01 10:28:39 AM
|
Re: Viruses and verified security holes
The long list of viruses that can transport themselves using ActiveX, and the long list of security holes that ActiveX is known to leave people open to is reason enough to not write home about its security model.
I'd like to see that "long list". I bet you'll find that very few viruses - if any at all - take advantage of any flaw related to ActiveX. All the recent big ones are simply Trojan-horse executables delivered via e-mail, exploiting nothing more than the ease with which popular e-mail clients allow users to launch attachments. Corresponding lists for Java are much, much smaller. Yet Java is more widely deployed in browsers than ActiveX!
I doubt it, since Microsoft's JVM is an ActiveX component, as is the browser itself. If you use IE, you use dozens of ActiveX components even if you browse nothing but plain text. That alone stands as darned good evidence that ActiveX is substantially worse than Java.
Sun took the time and effort to create trusted applets. That stands as darned good evidence that Java's original sandbox model was deeply flawed. [...] concrete evidence strongly suggests that ActiveX is unhealthy for
your computer.
It may suggest that, but only to people who don't understand the technology. ActiveX is basically two things: native code delivery and embedded execution. In terms of native code delivery, blaming ActiveX for viruses is like blaming the postal service for letters carrying bombs or anthrax. Every argument you can make against ActiveX's native code delivery applies equally well to FTP and HTTP downloads. In fact, signing makes ActiveX safer than the alternatives. As for embedded execution, there's obviously a need; otherwise, Netscape plug-ins would never have been developed. And if you accept that there's a need, you must also accept that ActiveX components are in every way superior to plug-ins - they support component signing, they are way easier to use, and they can be used by other applications.
|
Post #19,117
11/21/01 11:38:25 AM
|
ActiveX is actually one thing...
..based on another.
ActiveX is code delivery technology based on OLE2. Remember? Object Linking and Embedding. IE is not delivered across the net. That makes IE an OLE control, not an ActiveX control. Most of the stuff you have on your computer is OLE controls, installed by various setup routines. Some things (Sun's Java VM is an example) arrive as a result of browser parsing <OBJECT> tags. Those are true ActiveX controls.
Microsoft managed to successfuly leverage OLE's success into an apearance of ActiveX success. But I think it's just an appearance.
|
