Doug Wellington <doug @
sun1paztcn .
wr .
usgs .
gov> wrote:
>Hmmm, am I missing something? You have to tell the browswer what certificates
>to accept.
What certificates are you going to tell your browser to accept?
The Risks Digest note that started this particular thread tells how to
use a *Microsoft* ActiveX control to crash computers. Also talks about
using controls to write to system files and says, "At least two of
these controls have valid Authenticode digital signatures so that they
can be automatically downloaded and executed even with the highest
security settings in Internet Explorer 3.0."
The point is that properly signed controls from trusted sources can be
used for evil purposes.
>Isn't the bigger issue really about user knowledge though? If we don't
>trust our users to decide for themselves, then we should stick with a
>limited (Java?) VM or a more limited browser such as Mosaic.
But they're not deciding "for themselves", they're making decisions
which could have disastrous effects for the entire organization.
That's where firewalls come in, no? (Check the name of the mailing
list you're using here.)
How big is your user community? Thousands spread across 6 continents?
And you trust each and *every* one of them to possess a) the evolving
technical knowledge, b) the skills, c) the foresight, d) the interest,
and e) the initiative to protect the corporate jewels before
downloading the lastest control/applet/browser/protocol-of-the-month?
--
KH
Follow-Ups:
|
|
