[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Securing ActiveX.

To: Blake Coverett <[email protected]>
Subject: RE: Securing ActiveX.
From: Ray Arachelian <[email protected]>
Date: Wed, 18 Dec 1996 13:18:25 -0500 (EST)
cc: "[email protected]" <[email protected]>
In-Reply-To: <[email protected]>
Sender: [email protected]

On Tue, 17 Dec 1996, Blake Coverett wrote:

> It's not a Java vs ActiveX thing for me at all.  What is important is that
> some of the applets I write can't function in a sandbox, they need access
> to the disk and other resources for business reasons.  For this type of
> thing signed code without a sandbox is the only choice.

Sure they can.  Get a file system that honors security and limit that 
applet's access to certain directories only where the data it needs 
lives.  Do not give it access to everything.  A sandbox will allow this.

> What I'd really like is the sort of thing Bill Frantz is describing on 
> another branch of this thread.  Signed code and an administrator 
> defined policy that specified for a given signature exactly what 
> types of resources should be accessible.  Anything from don't
> execute and audit a security alarm to complete access to the
> whole machine.

Same difference whether you use the signature or some other thing to 
grant or revoke access to certain resources.  Though if you use a 
signature as in the author who wrote it as opposed to something like a 
CRC which is unique for every control - then you are opening a wider hole 
than you want.  With apps like that you want to set security perms for 
each application, not all applications that were written by Macrosoft. :)

> > How many users know how to download the jdk and run the java vm locally?  
> 
> They don't need to.  All they need to do is unzip the java classes into their 
> classpath and all of the normal restrictions on an applet are ignored.  
> Think it would be very hard to persuade a user to do just that in order
> to play a kewl java game?  More importantly it shows that even expert
> users don't always know where the holes in the sandbox are.

Fine - how many game users who how to unzip the java classes into their 
classpath?  Question is of knowledge not of what action they will take.

=====================================Kaos=Keraunos=Kybernetos==============
.+.^.+.|  Ray Arachelian    | "If  you're  gonna die,  die  with your|./|\.
..\|/..|[email protected]|boots on;  If you're  gonna  try,  just |/\|/\
<--*-->| ------------------ |stick around; Gonna cry? Just move along|\/|\/
../|\..| "A toast to Odin,  |you're gonna die, you're gonna die!"    |.\|/.
.+.v.+.|God of screwdrivers"|  --Iron Maiden "Die With Your Boots on"|.....
======================== http://www.sundernet.com =========================

References:
- RE: Securing ActiveX.
  - From: Blake Coverett <[email protected]>

Prev by Date: Electric Library Gift Idea
Next by Date: Re: ITAR -> EAR; loss of First Amendment Rights.
Prev by thread: RE: Securing ActiveX.
Next by thread: RE: Securing ActiveX.
Index(es):
- Date
- Thread