On Fri, 31 Jan 1997, Russ wrote:
> Wait a second. Why should this exploit be treated any differently than
> any other misconfiguration exploit? Why is the fact that someone
> downloaded an application from an unknown untrusted vendor and found it
> to be malicious a condemnation of ActiveX?
Because ActiveX has a flawed trust model.
> 1. If the default IE implementation existed on the exploited machine,
> they were informed of the company name who signed the certificate, and
> were asked to confirm acceptance of the object. In which case, they
> chose to trust an untrustworthy company, why is that the fault of
1. There is no way to revoke certificates, just wait until someone
gets hold of Microsoft's certificate. Without some sort of
verification at the CA, having a CA is pure fluff. Yeah,
Microsoft can bury a new certificate in an update, but everyone
can't do that. Without CA verification, there's no way to know
who's certificates have been compromised.
2. Once accepted, the object is usable from any site, not
simply the one from which it came. There's a significant
lack of granularity to the whole process. One certificate
for the whole of most companies? No user-defined time limits
on them? No
3. 'After the fact' damage control is nowhere near as good as
before the fact protection. Knowing who's certificate it was
basically doesn't do *anything* for you. All the certificate holder
has to do is say "some evil hacker broke in and copied my certificate".
I asked Microsoft if they'd take direct financial responsibility
_not_ for the flawed trust model, but for misuse of any objects
signed by their certificate. No answer. Being able to finger
point to a certain certificate doesn't give you *any* protection,
or remediation. If Microsoft's certificate were compromised,
would you all of a sudden stop accepting everything from them?
Do you have any idea of how their certificate is managed? Ok,
now extend that to 100 different software vendors. See, there
_is_ a problem here, and the fact that Microsoft won't address
the inherent flaws is *bad*. The best I've gotten from them
was to the effect of "Well, plug-ins are bad too."
> 2. If they previously had told IE to accept all signed certificates,
> then they chose to leave their machine wide open, again, why is that
> ActiveX's fault?
Because it doesn't adequately protect the novice user. The same
people who tout 'easy to use' are now asking several thousand of my
users to understand how to extend trust to my internal network. This is
ridiculous. Not that long ago, you were saying that you thought that
there was too much complexity, and keeping up to do in the world of
firewalls for folks who weren't full-time security people, well,
I don't think we need the same level of complexity for web browsing.
It's bad enough enforcing good password rules, now my stock clerk has to
know what sites to accept certificates from?
I for one am *very* glad there exist ActiveX blockers.
> As we always say about Firewalls, if the user chooses to ignore or be
> ignorant of the risks of the configuration their using, nothing can
> protect them.
As we always say about firewalls, it doesn't matter how 'neat' an
appliaction is, if the design is flawed, it shouldn't be allowed.
Paul D. Robertson "My statements in this message are personal opinions
net which may have no basis whatsoever in fact."