More on ActiveX Versus Java Security Are you secure?
by David Stone
My last essay on trusting your next downloads got lots of mail. Half of it was bounced messages from AOL and CompuServe: apparently both had either MX or DNS problems last Saturday when the issue went out. (If you didn't get your issue, check the link above to read it before proceeding.) But the more interesting half were people telling me that I ducked the issue about the relative safety of Java vs. Active X.
Yes I did duck the issue, mainly because I don't have the skills to really evaluate their differences. But many of you do, and wrote unanimously to tell me that Java is head and shoulders better. Some of you even included some facts to support your opinions.
All of this reminds me of the November 1989 debates over Ring 0 between Microsoft (OS/2 LAN Manager back then) and Novell's NetWare 386 server operating systems. Back then we had each company trying to show how insecure the other's OS was. But I digress. Here are some comments (printed with the authors' permission).
First, Bob Denny, author of WebSite and last seen here at Web Informant #50, writes:
David, you took the position in your last Web Informant that that everything is dangerous, and that ActiveX is just as good/bad as the other stuff (plugins, Java, etc.). You are wrong: Java is far safer than ActiveX. It was when it was first released last year, and it is even more so now with the Java Development Kit 1.1 release.
I would download and run an unsigned Java applet without hesitation. I won't run ANY ActiveX applet on my machine, even signed ones, unless they are signed from someone I trust.
Trust is a squirrelly notion. A real security policy is a matrix of assertions and capabilities. The more you trust the thing, the more you permit it to do. Microsoft's assertion is that if it looks trustworthy let it have free rein. I don't buy this at all -- I have to depend on my machines to get clean code written every day.
So whom do I trust for delivering ActiveX applets? Basically, Microsoft and a few others. How can I trust J Random Developer? More to the point, doesn't this create an oligarchy with Microsoft at the top? How does J Random Developer get me to use his applet? Just because he signed it doesn't mean it doesn't have bugs that can cripple my system or Trojan horses that can do other nasty stuff.
How does Java work? If I write a Java applet, this code passes through a sanitizer/verifier before the Java Virtual Machine even tries to execute it! There are no pointers in Java, so there's no way to inject sneaky code. The Java machine code is scanned at applet-start time to ensure that it does not contain any funny stuff that could affect its integrity.
Once this applet is delivered to a browser, there are safeguards that Microsoft and Netscape put into their browsers' Java SecurityManagers. These SecurityManagers MUST be started prior to any applet code being executed. This object filters "potentially dangerous" operations and denies some set of them. What is denied is up to the browser implementer.
The Java designers saw at the outset that it was absolutely essential to first create the means of controlling what rights a downloaded, untrusted applet has. They knew all along that a trust-assignment system was also needed, but they decided to attack the tough problem first (Java has code signing now as well). So Java operates in a controlled environment, and the client/browser implementor (Microsoft, Netscape) controls what rights any applet has. The limits on Java applets are set by policy and NOT by the Java's basic design.
This is today's technology. It's good!