More on ActiveX Versus Java Security Are you secure?
Now let's look at ActiveX. You said "Microsoft says you wouldn't pick up a random floppy off the street and run the software on it, so why should you do so with an untrusted application?"
Microsoft is right but their argument does not apply to Java, only to ActiveX. There are no permissions or safeguards on what an ActiveX control can do. Instead, Microsoft had to implement this code signing business to establish a trust level. The exposure to damage by ActiveX applets is not controlled at all, unless you, the user decide not to run something on your machine. They have no intrinsic safety system.
Microsoft has demoted Java into a Common Object Model implementation language. Meanwhile, JavaSoft is silent and continues to let Microsoft pick the arena and the set the terms of the battle. In the meantime, you and the rest of the trade press go along with what Microsoft says and tar Java with the same ActiveX security brush.
Thanks Bob. Turning to Bob Matsuoka, president of The Soho Internetwork Co., an all-NT ISP (so you know he thinks highly of SOME Microsoft technology):
Microsoft, with its efforts to push their "windows-centric" Internet, has consciously taken a step backward to reduce security problems associated with net-based computing, compared to efforts by Netscape and Sun.
ActiveX, OLE by another name, is an extension of desktop and LAN-based computing. It works best in a closed environment with known security. Java has been (re)written as an Internet technology. Its "sandbox" mode is far, far more secure than ActiveX.
My point is that Microsoft should be more forthcoming about ActiveX. Their continual statements to the effect that "yes, it has security holes but so does Java and Plug-Ins" is disingenuous at best. The naive user (as you so well pointed out) can not use them safely over the web, while Java applets can greatly enhance anonymous network computing. This is a crucial difference in technologies! We look at ActiveX in the same way we do Visual Basic. It's a great technology but has no business on the Internet.
Thanks Bob #2. John S. Quarterman, a long-time Internet analyst and author and President, Matrix Information and Directory Services, weighs in with this caution: "Microsoft has become an "authority" on the Internet, largely because people use its sloppy software. Like IBM before it, the Microsoft name sells, and its mistakes tend to slide off onto innocent bystanders or onto the substrate, which in this case is the Internet."
Finally, I leave you with a comment from Yusuf Mehdi, the product manager for Microsoft's Internet Explorer. "On average, I think Java is safer than ActiveX."
This article is copyright 1996-1998 David Strom. It originally appeared in David Strom's own Web publication at STROM.COM.