Регистрация Вход
Библиотека /
Поиск по библиотекеМоя библиотекаИскать книгу(обмен)

Security of ActiveX vs Java

Security of ActiveX vs Java


Resent-Date: 22 Sep 1997 14:08:19 -0000 Resent-From: linux-security@redhat.com From: А.Зубарев В IE у меня Java выключена всегда (JScript, правда включен). Это после того как при заходе на страницу одного духа у меня диск D: отформатировался без предупреждения. Хорошо хоть апплет сохранил - - расковыряли потом, что это только IE и именно апплеты. On Sun, 21 Sep 1997, Wade Hampton wrote: > Having recently read about the lack of security > of Active X controls, I was wondering if I could > get some specifics about its lack of security > versus the security of JAVA. Also about the > security of JAVA under Linux. > I understand that > MS's concept of security is a) investigate the > vendor, b) issue a certificate of authority, 3) > vendor is now trused to do anything (fox guarding > the hen house!). Microsoft never promised to investigate anybody. Proving identity says nothing about trustworthiness. Code signing provides a measure of accountability -- though not very much -- but accountability is only one part of security. > 1. How insecure is Active X? Immensely. ActiveX executes native binary code. Within the limitations of the MMU, this code can scribble all over memory. Since ActiveX controls execute in the same address space as the browser, they can overwrite the browser, other ActiveX controls, the filesystem, and network connections either maliciously or unintentionally. In theory, ActiveX controls are restricted by the OS object-level security of NT. (This is no protection for the majority of people who use 95, of course.) However, few machines running browsers have rigorously configured their filesystem or OS permissions, and even fewer are protected against malicious code executed by the user themselves. > 2. How much more secure is Java than Active X > (active X controls)? Java has a specified, documented and enforced security model which restricts the operations which an applet can perform. Amongst other points: - Java code is subjected to a verification process to check that the bytecodes conform to the specification: class access must be correct, types must be respected, opcodes must be valid, and so on. ActiveX controls are native machine code and unverifiable: the browser will happily try to execute garbage and crash. - Through Java's SecurityManager interface, user agents can selectively impose fine-grained controls on downloaded code, specifying which files it can read or write, which hosts it can connect to, and so on. ActiveX controls have full access to the Win32 API -- including the undocumented bits -- and such control is impossible. - Java has a well-defined exception model. ActiveX is native code and uses multiple inconsisten exception-handling models. Hence, buggy Java code will probably stop and report an exception, buggy ActiveX code will probably crash the browser. - You can read and check the Java VM specification, the source of the SecurityManager, and so on, and satisfy yourself that they don't leave any holes. You have to take Microsoft's word that ActiveX is secure. - Both Java and ActiveX support digital signing to verify the authenticity and integrity of downloaded code. Java does this using open standards, ActiveX is proprietary. You can find more information at http://java.sun.com/forum/securityForum.html http://java.sun.com/forum/1.0.2.html A search on 'ActiveX security' on www.microsoft.com on 22 Sep 1997 finds no relevant content that is not password-protected! > 3. How much more secure is Linux than NT? Than > Win95? It depends on the particular machine, and on who you ask. To answer it in general, I think you have to measure a few different points on the scale: say, the basic ordinary-user situation, and the paranoid intelligent user situation. It's probably fair to say that Linux installs in a more secure configuration than NT in most distributions. That is, there are fewer network bugs, it installs a genuinely secure FS, and at least encourages you not to run everything as root. If a knowledgeable person invests the same amount of time in two systems, I imagine the Linux one would end up more secure. For a small investment of time and less money one can obtain block-level filesystem encryption, strong shadowed passwords, one-time passwords, SSH encrypted remote connections, kernel-level IP firewalling, trustworthy mail servers, and so on. None or few of these are available for NT to my knowledge without considerable expenditure, and in any case the source is not available for perusal or verification. Although things have quietened down recently, NT was experiencing a couple of major security bugs per week earlier this year, far more than Linux. This proves nothing, but it does indicate the amount of effort required to keep a system secure, and the danger of not tracking every change. I haven't checked recently, but I think the basic services in RedHat 4.2 are free of major problems since it's release several months ago. By contrast, the current version of NT available from s/w shops has catastrophic bugs -- OOB and RPC attacks for example -- which allow remote unauthorised access or DoS attacks. (I guess after you press a few zillion CDs you want to sell them all before you start caring about the fact that people are installing known bugs.) There is a security vs obscurity questions here, in that you can check the Linux source to assure yourself of the security model and implementation. Few people will read the whole thing of course, but to a technically aware person I think perusing the qmail source conveys more confidence than any amount of marketing guff. > 4. What about corporate use of Active X controls > versus Java on a sensitive Intranet? If you absolutely trust everyone in your organization -- which is probably OK up to about fifteen people -- then ActiveX is fine. (Anyhow, rebooting regularly keeps your computer minty fresh.) If you think that somebody might install one of the numerous malicious ActiveX controls on their home page as a prank or attack, then you should reconsider. There's another problem of ActiveX controls coming in from the Internet onto your public web site, and carrying out sensitive information. (Remember the MSN installer that uploaded a directory of their valued customer's hard disks?) Apparently some of the firewall/proxy vendors, in response to public demand, have addded features to block incoming ActiveX controls. > > I have decided to use Linux for all WWW access, > via a user account. Any sensitive information I > have (e.g., financial) resides on a ZIP disk which > is physically removed from the system when on > the Internet. It sounds like a good approach if you can justify the convenience/security tradeoff. I've heard it suggested, though I've never got around to it, that one might run Netscape in a chroot jail as nobody. To be fair, current Java implementation are not as fast as native code, and can't access the Win32 API. (You may consider that last one a feature.) In the short term, there are some situations where Java is not a good choice. In the medium term, Java will get faster and more powerful, but ActiveX will never be secure. (This is perhaps off topic for this list. Maybe we should drop the thread.) ::Boots Any weapon must be kept concealed from the attackers view until the exact moment of its usage -- Mace and Chemical Weapons, www.tscm.com -- ---------------------------------------------------------------------- Please refere to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null

Наша библиотека является официальным зеркалом библиотеки Максима Мошкова lib.ru

Реклама