lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 1 Sep 2003 13:42:51 +1200 (NZST)
From: Simon Brady <simon.brady@...go.ac.nz>
To: bugtraq@...urityfocus.com
Subject: Re: RIP: ActiveX controls in Internet Explorer?


On Sat, 30 Aug 2003, Alun Jones wrote:

> The descriptions I've heard of this suggest that this patent could be
> applied equally to prevent (or grab payment from implementors of)
> Javascript, Java, Flash, etc.
> 
> I'm with you on the security issues with ActiveX (and Javascript) - I
> disable ActiveX on the principle that it has no security consideration, and
> Javascript on the basis that it's been frequently implemented in a
> vulnerable manner.  But this is a considerably further-reaching patent than
> merely killing off ActiveX.  Before we sing "ding dong the witch is dead",
> let's have some concern for the peaceful Wiccans that might be next on the
> chopping block.

Java and Flash aren't exactly free of security issues either. In fact, I 
would go further and argue that the whole notion of a controlled 
client-side runtime environment for remote code has been an unmitigated 
disaster for the web (and this is solely from a security perspective - see 
http://members.optusnet.com.au/~night.owl/morons.html for a refreshing 
take on the usability crisis they've caused).

I'm not just referring to current implementations with their appalling 
defect rates. All client-side runtimes, no matter how well-written,  
inherently reduce security. That's their function: to give outsiders 
access to your machine they otherwise wouldn't have.

Even more insidiously, their prevalence numbs users into a mode of thought
that it's quite normal and healthy to let this happen. How can the
security community promote safe browsing when users are being forever
brainwashed into ignoring or disabling security features for the sake of
pointless but pretty downloadable applets? How can we encourage content
developers to reduce attack surface when fashion demands yet more
gratuitous bells and whistles?

Web applications belong on the server. The more widely this patent gets
applied the better off the browsing public will be.

--
Simon Brady                             mailto:simon.brady@...go.ac.nz
ITS Technical Services
University of Otago, Dunedin, New Zealand

    I don't speak for my employer, and they don't speak for me.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ