Doug Wellington wrote:
> >Netscape won't install a plugin without the user saying so.
> IE is the same...
> >When the browser goes ahead
> >and downloads "Kludgescript 13" because it's got a signature the browser
> >likes without asking you, you've got a problem from now until Microsoft
> >comes up with some way of revoking certificates.
> Hmmm, am I missing something? You have to tell the browswer what certificates
> to accept. If you tell the browswer to blindly accept all certificates, then
> that isn't ActiveX's fault... That's the same as blindly installing plug-ins
> or downloading ANYTHING and running it without checking where it came from or
> what it does.
Yes you're missing something. Theres a big difference between these
1) giving card blanc to _everything_ from vendor A because you trust
and auto-installing it on every PC so configured
2) accepting a single plugin from vendor A upon explicit actions
I think that the idea of having the software producer sign the network
(plugin/java/activeX) is a good idea. But trusting it takes more than
just a reliable vendor.
I might not want everything produced by the vendor. The last time I
read the ActiveX docs, that's how they appear to read -- is that still
correct? In my mind Java wins big for security because it
will soon support signed applets _and_ encapsulation.