[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.21.0309021258540.6601-100000@arlen.osc.edu>
Date: Tue, 2 Sep 2003 13:02:39 -0400 (EDT)
From: Igor Filippov <igor@....edu>
To: Simon Brady <simon.brady@...go.ac.nz>
Cc: bugtraq@...urityfocus.com
Subject: Re: RIP: ActiveX controls in Internet Explorer?
It seems the patent in question covers not only client-side
executables, but server-side as well:
"Once selected the program object executes on the
user's (client) computer or may execute on a remote server or additional
remote computers"
So, not only javascript/flash/java are subjects of this copyright
but any CGI/whatnot application as well - or am I reading it wrong ?
Igor
On Mon, 1 Sep 2003, Simon Brady wrote:
> On Sat, 30 Aug 2003, Alun Jones wrote:
>
> > The descriptions I've heard of this suggest that this patent could be
> > applied equally to prevent (or grab payment from implementors of)
> > Javascript, Java, Flash, etc.
> >
> > I'm with you on the security issues with ActiveX (and Javascript) - I
> > disable ActiveX on the principle that it has no security consideration, and
> > Javascript on the basis that it's been frequently implemented in a
> > vulnerable manner. But this is a considerably further-reaching patent than
> > merely killing off ActiveX. Before we sing "ding dong the witch is dead",
> > let's have some concern for the peaceful Wiccans that might be next on the
> > chopping block.
>
> Java and Flash aren't exactly free of security issues either. In fact, I
> would go further and argue that the whole notion of a controlled
> client-side runtime environment for remote code has been an unmitigated
> disaster for the web (and this is solely from a security perspective - see
> http://members.optusnet.com.au/~night.owl/morons.html for a refreshing
> take on the usability crisis they've caused).
>
> I'm not just referring to current implementations with their appalling
> defect rates. All client-side runtimes, no matter how well-written,
> inherently reduce security. That's their function: to give outsiders
> access to your machine they otherwise wouldn't have.
>
> Even more insidiously, their prevalence numbs users into a mode of thought
> that it's quite normal and healthy to let this happen. How can the
> security community promote safe browsing when users are being forever
> brainwashed into ignoring or disabling security features for the sake of
> pointless but pretty downloadable applets? How can we encourage content
> developers to reduce attack surface when fashion demands yet more
> gratuitous bells and whistles?
>
> Web applications belong on the server. The more widely this patent gets
> applied the better off the browsing public will be.
>
> --
> Simon Brady mailto:simon.brady@...go.ac.nz
> ITS Technical Services
> University of Otago, Dunedin, New Zealand
>
> I don't speak for my employer, and they don't speak for me.
>
Powered by blists - more mailing lists