[4972] in WWW Security List Archive
Re: Prediction:Plug-ins will go away (Re: Automatic trojans)
daemon@ATHENA.MIT.EDU (Richard Costine)
Wed Apr 2 15:04:40 1997
Date: Wed, 02 Apr 1997 12:23:20 -0400
From: Richard Costine <rjc@n2k.com>
To: jay@homecom.com
CC: Matthew Patton <patton@sysnet.net>, WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Jay Heiser wrote:
>
> In the grand scheme of things, I lump browser plugins (and the code they
> execute) in with Java, ActiveX and (MS-Word) macros as forms of
> executable content. I think that plugins are either going to go away,
> or they are going to be extended to take advantage of some browser-based
> security infrastructure. Executable content is a great idea, but it's
> even better when it doesn't needlessly introduce vulnerabilities.
>
> Matthew Patton wrote:
>
> Ok, I doubt this registers on anybody's scope as new, but given the
> following:
>
> >Navigator can also automatically download and install plug-ins when
> it
> >encounters a page requiring a plug-in you don't already have.
>
> as featured in Netscape Communicator (or maybe even v3.x?) sounds
> like a perfect opportunity to introduce little nasties with perhaps
> nothing more than a dialog box asking the user if he wants it. My
> guess is the average Joe will just hit the "heck yeah, why not?"
> button. Congratulations you've just been infected with (pick your
> flavor).
>
> Any thoughts on how to deal with this other than the obvious and
> never ending "user awareness training"??
I agree that executable content is a "good thing" - it adds value to the
'net, may allow you to better utilize bandwidth by pushing functionality
out to the users workstation, add originality to an otherwise boring
library-based media. It also works provided that you have a trusted
sandbox to play in. I don't think most "clueful" folks place a lot of
trust in the sandbox that they've been given to use (ie. Java and
ActiveX). I guess supplying this "trust" is a job for the real
programmers that are left. You know: the ones that actually know how to
write code that will manage a linked-list or binary-tree, or still know
what a hash table is, and why you would use one in lieu of the former,
or the ones that can make sure their code is secure from buffer overruns
and the like. They'll write that code and prove to the clueful that it
is trusted by supplying the source.
Note: Clueful = Internet security-consious group of people
