Posted by Andy Dingley on 01/24/06 02:25

On Sat, 21 Jan 2006 03:04:18 GMT, Jose <teacherjh@aol.nojunk.com> wrote:

>When you talk about signing an ActiveX control as "safe", who is doing
>the signing, and what's to prevent the programmer from lying

You get traceability, you don't get a guarantee. Signed ActiveXs are a
bit like SSL - you need a certificate to do it, and your certificate
really needs to be traceable back through well-known and verifiable
routes.

There are two risks. One is that your coder is malicious, the second is
that your coder is innocent, but the control can be mis-used. This is
more insidious because the signature could be very trustworthy indeed,
yet the end result is just as bad. It's hard to prove that code is
innocent, even harder when it has to do something that is
context-dependent and parameterisable. Maybe it _needs_ to be able to
write a file, but should it be able to write just any file, anywhere ?

: >"To liscence your ActiveX control, you must have your control "digitally signed"
: > by a third party company, such as Verisign. These companies charge you
: > money to evaluate your software to make sure that it does not cause implicit
: > harm to the machine it runs on. "

This is just plain rubbish. Don't take advice from people who can't even
spell licence.


As a comparison between ActiveX and Java, look at the bounds of the Java
applet sandbox. This takes another approach from plain signing - a Jaa
applet is just _never_ permitted to do much, no matter how well signed
and trusted it is.

Personally I commission a new machine / browser by deliberately going to
Adobe, Macromedia and a few other well-known sites to install the bare
handful of ActiveXs I use and trust, then I lock the machine down and
never install another one. No prompts, they're just blocked from
install.

[Back to original message]