[2735] in WWW Security List Archive
Re: ActiveX security hole reported.
daemon@ATHENA.MIT.EDU (David M. Chess)
Wed Aug 21 14:08:30 1996
Date: Wed, 21 Aug 96 11:54:04 EDT
From: "David M. Chess" <CHESS@watson.ibm.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Well, here's one rather obvious scenario:
- Java gets signature-authentication (as promised),
- All major browsers add an option to discard any
objects (applets, ActiveX controls, and so on)
that are not signed by a registered-as-trusted
party,
- All major browsers enable centralized administration,
the way I recall HotJava did it; that is, the sysadmin
can install the browser in such a way that the end users
can't weaken the security that the admin has set up,
- All major organizations set up their systems to use
centralized administration, turn off the ability to
accept an untrusted object, and make it a firing
offense to use your own locally-installed browser
on the company's LAN (technical measures to make
this hard can also be implemented),
- therefore the only objects that anyone will
realistically be able to use over the open Web
will be objects produced and signed by parties
that are in everyone's trust-database. We can
speculate who that might be, but the makers of
browsers and operating systems seem like very
likely candidates, since systems can ship with
their public keys pre-installed! *8)
If this scenario comes to pass (and I'm not placing bets
one way or the other, myself), it means that security
concerns end up limiting the use of Web-executables to
(a) intranets, and (b) providing automatic software-update
facilities for major software houses via the open Internet.
(Of course, there are still issues about whether or not
you'd want to allow an incoming executable to run, even
if it *is* signed by a Major Software House, but my guess
is this will be no more of an issue than it is with current
shrink-wrapped software.)
There are other scenarios, of course, that assume that you
can safely accept incoming executables from strangers and
run them in a tight-enough padded cell, and/or that there'll
be some easy and feasible method to come to trust authors
that are not necessarily in the Fortune 50...
- -- -
David M. Chess | Not responsible for
High Integrity Computing Lab | personal belongings
IBM Watson Research |
