Great Circle Associates Firewalls
(June 1996)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: FW: Re[2]: Java & ActiveX
From: "william.wells" <william . wells @ damark . com>
Date: Thu, 27 Jun 96 10:36:00 +6C
To: FIREWALLS <firewalls @ GreatCircle . COM>

To the dialog between Russ Cooper and Michael Dillon, I add.
Michael Dillon <michael @
 memra .
Russ <Russ .
 Cooper @
 RC .
 Toronto .
 on .
>On Wed, 26 Jun 1996, Russ wrote:
>> point. ActiveX objects can be denied, they do not "suddenly activate when
>> hit a web page". You don't have to involve yourself in any key exchange
>> you don't want to, you can simply say you don't want any ActiveX objects
>> downloaded to your machine. I seriously doubt that any implementation of
>> ActiveX object usage within any application is going to ignore that
>> premise.

>The implementation may not ignore the premise but I'm sure that the
>configuration WILL. In other words, most browsers supporting ActiveX will
>have full ActiveX support enabled by default and all marketing materials
t>hat mention ActiveX will fail to mention that it is dangerous and should
>not be activated.

>Which means that people at the desktop WILL attempt to download ActiveX
>objects and it will be up to the firewall to block them.

Most people will, over the long haul, enable ActiveX and Java.  This is
independent of what is secure or not and, in many cases, independent of
business policies (since policies don't set options in browsers). There are
3 reasons for this:
1. As mentioned in earlier exchanges by others; for internal networks, using
these to enhance the Intra-net web pages may make sense. However, since
browsers make no difference between internal and external networks, if you
use it internally, you also enable it externally.
2. Web developers will start to use them and eventually depend on them.
 This will 'force' people to upgrade to new browsers and enable options in
order to use the pages.  You can argue that, as consumers, we could refuse
to use the sites which use Java. But say, for sake of argument, that a
company that your company (or you accessing your favorite site) retrieves
information from on a regular basis began to require Java or ActiveX, the
people in your company would begin to enable these.  Java can be controlled
at the firewall, I'm not sure about ActiveX.
3. People who don't know will enable the option to get the latest "bells and

>>       "ActiveX can sneak in in a web page with you all unawares."
>>       "But I have to take a deliberate action to install shrinkwrap
software, it
>> won't suddenly activate when I hit a web page."
>> Both statements are blatant lies and complete misinformation,

>That's strong language. I think I have shown above that the first
>statement is not a lie and I find it hard to see how anyone could possibly
>argue that the second statement is untrue. If you have any examples of
>shrinkwrap software that are installed by hitting a web page rather than
>taking a deliberate action and unwrapping the package, then I suggest you
>see a psychiatrist and explain this to him.

I agree that there is a distinct difference between shrinkwrap and
downloading off the Internet.  Shrinkwrap should be an untampered copy of
what was written at the factory.  There is a greater potential that Internet
software could be tampered.  The other difference is that I have a paper
license and receipt when I get shrinkwrap which can be audited. For some
companies, this is very important; how else can you prove that your company
is running purchased, licensed copies of software.

But that isn't important to firewalls. ActiveX and Java can both come in
unawares.  With embedded Java, it sits on the page (cached) until it is used
later- perhaps at a time when you are not connected to the network.

Most people think of the Web as a way to get information; a device that only
displays information that you retrieve.  That a page fetch could run a
program, send mail, or other things is beyond most people and really annoys
me.  However, if Java or ActiveX are to be useful relative to web browsers,
then they have to 'autorun'.

It seems to me that the browser developers are trying to pack as much
functionality into a system as possible.  Java seems to be more concerned
about controlling the functionality than ActiveX.  This may end up being its
failure point since most consumers want all the bells and whistles; if given
2 options, most will try to get as much as possible for the same effort.
 Only later, after some hacker exploits the whistles, do people get
concerned about 'control' but by then, market share and other non-technical
issues have pushed the other products out of existence.

Unless there is significant education of the consumers or businesses demand
controls, its been my experience that the least secure and least
controllable solution wins.

William Wells
Manager, Technical Support
Damark International, Inc
william .
 wells @
 damark .

Opinions are mine.

Indexed By Date Previous: Re: FW-1 authentication on HP-UX
From: Barbara Jaarsma <barbara @ us . checkpoint . com>
Next: Re: tcpshow
From: "John A. Morrison" <morrison @ ladyred . rsoc . rockwell . com>
Indexed By Thread Previous: RE: Re[2]: Java & ActiveX
From: Dana Nowell <DanaNowell @ corsof . com>
Next: Re[6]: Java & ActiveX
From: "Steve Betts" <Steve_Betts @ ccmailgw . biss . co . uk>

Search Internet Search