CSS Button Designer

[Jonathan N. Little]

Jose wrote:





I'm not as knowledgable as Andy but I might be able to spew forth
something useful here.

It really boils down to common sense and the idea that you cannot
completely eliminate ALL risk. You have to use your best judgement and
life in general always has some risk.

99.9 times out of 100 you should say NO to those controls because most
of it is junk and some of it is downright nasty. If you're in the
seedy part of town looking for something you really ought not be
looking for and you get a message that in order to get the trinket you
want, you have to let the control install. Seems to me common sense
should tell you that's not a very good idea.

Funny thing about ActiveX, if you go in a tweak your IE security
settings to prompt on all ActiveX activities (several settings) and in
the normal course of browsing you will be prompted to death, but other
non-ActiveX browsers, e.g., Firefox, will traverse the same sites
without any limitations. So ActiveX isn't solely for installing
controls, but IE wants to run ActiveX in the normal course of browsing,
but here is the rub, ActiveX has access to Windows COM (Component Object
Model or in other words the Windows OS) with privileges to add, modify
and delete local files and install and uninstall local executables. I am
not saying that they all do, but they have the capability to do so. I
think Mr Bill is a Trekkie and believes where everyone wears a white
hat. I personally want a distinction between 'local' and 'remote' data.
The privileges required in dealing with such should be different. Using
the same tool for both IMHO invites abuse.

<snip>

 

[Jose]

I personally want a distinction between 'local' and 'remote' data.

Amen to that!

Jose

 

[Joe Barta]

When you talk about signing an ActiveX control as "safe", who is
doing the signing, and what's to prevent the programmer from lying
- that is, coding an evil program and signing it as "safe". What,
exactly, does "signing as safe" involve, and mean?

In my reading I stumbled on the following at:
http://www.4guysfromrolla.com/webtech/091698-1.shtml

<quote>
Liscencing Your ActiveX Control:
To liscence your ActiveX control, you must have your control
"digitally signed" by a third party company, such as Verisign. These
companies charge you money to evaluate your software to make sure that
it does not cause implicit harm to the machine it runs on. If your
control has no gapping security holes, and does not compromise the
integrity of the system it runs on, Verisign will assign you a digital
signature, which will be displayed when the user is prompted to
download your ActiveX control.
</quote>

Joe Bara

 

[Jose]

To liscence [sic on website] your ActiveX control [instructions snipped]

Ok, a third party gives you code that gets inserted into the executable
somehow. But that code just pops up a window saying "trust me". Can I
not author an Active-X control that pops up a window that says "trust
me", even if it's not signed? After all, it's just pixels I'm playing
with, no?

Jose

 

[Jose]

Never mind...

Ok, a third party gives you code that gets inserted into the executable somehow.

Can I not author an Active-X control that pops up a window that says "trust me", even if it's not signed?

To answer myself (I should read better!) it seems the window needs to
pop up before my executable loads. I guess the browser reads the code
in the executable and creates the window.

Yes?

Jose

 

[Andy Dingley]

When you talk about signing an ActiveX control as "safe", who is doing
the signing, and what's to prevent the programmer from lying

You get traceability, you don't get a guarantee. Signed ActiveXs are a
bit like SSL - you need a certificate to do it, and your certificate
really needs to be traceable back through well-known and verifiable
routes.

There are two risks. One is that your coder is malicious, the second is
that your coder is innocent, but the control can be mis-used. This is
more insidious because the signature could be very trustworthy indeed,
yet the end result is just as bad. It's hard to prove that code is
innocent, even harder when it has to do something that is
context-dependent and parameterisable. Maybe it _needs_ to be able to
write a file, but should it be able to write just any file, anywhere ?

: >"To liscence your ActiveX control, you must have your control "digitally signed"
: > by a third party company, such as Verisign. These companies charge you
: > money to evaluate your software to make sure that it does not cause implicit
: > harm to the machine it runs on. "

This is just plain rubbish. Don't take advice from people who can't even
spell licence.


As a comparison between ActiveX and Java, look at the bounds of the Java
applet sandbox. This takes another approach from plain signing - a Jaa
applet is just _never_ permitted to do much, no matter how well signed
and trusted it is.

Personally I commission a new machine / browser by deliberately going to
Adobe, Macromedia and a few other well-known sites to install the bare
handful of ActiveXs I use and trust, then I lock the machine down and
never install another one. No prompts, they're just blocked from
install.