[4560] in WWW Security List Archive
Re: SBN Wire: News Flash
daemon@ATHENA.MIT.EDU (Adrian L. Hosey)
Fri Feb 21 14:06:32 1997
From: "Adrian L. Hosey" <ahosey@indiana.edu>
To: www-security@ns2.rutgers.edu
Date: Fri, 21 Feb 1997 10:46:39 -0500 (EST)
Errors-To: owner-www-security@ns2.rutgers.edu
:
: I do not know the gut details of IE and ActiveX. What does
: "security level high" mean in IE? (That is not a rhetorical
: question. :) If it means the code must be signed and its
: signature is checked, so what? After all, even malicious code
: can be signed, tested code have a latent trojan horse, and
: responsible parties outside of easy jurisdictional reach.
:
I think you've hit the nail on the head right there. You cannot provide
technical protection using legal methods, which is why ActiveX and
Authenticode is just so much crap. It's small consolation to the
person/company that's lost $$$ in time/cash/information that a warrant
has been issued for the guilty parties. And even if they are caught,
here come the courtroom headaches.
Authenticode is "reactive" security (which I think really doesn't
qualify as security - at best it's damage control). Microsoft, judging
by this press release, is trying to pass it off as "proactive" security,
and it ain't so.
You know, it's just occurred to me that if ActiveX did use a sandbox
approach, MS couldn't charge a fee for certificates. Hmmm.
- A
--
It's a Zen thing. You already understand.
