ACCC Home Page ACADEMIC COMPUTING and COMMUNICATIONS CENTER
Accounts / Passwords Email Labs / Classrooms Telecom Network Security Software Computing and Network Services Education / Teaching Getting Help
 
The ADN Connection, April/May/June 1998 The A3C Connection
April/May/June '98 Contents A Time of Opportunity, a Time to Move On (from CMS) Keeping Secure on the Web Web Security for Files and Data The ADN Post ADN Free Summer Seminars Cookies on the Web
Picking Keywords for UIC Search Copyright and Fair Use Operating Systems Support Group Guidelines on Email Size Active Content on the Web About the ADN Connection  

Active Content on the Web

 
News and Reviews Everyone 

 
The illustration is an exaggeration, but with all the Web surfing we're doing these days, we all have to worry a bit more about what the programs that we -- or our Web browsers -- get on the 'Net. Let's assume you already "surf safely" -- you always check any program you download or email attachment you receive for viruses before you run or use them. (And that includes Word documents, Excel databases, and so on.) But what about the "active content" your Web browser downloads and runs for you, perhaps without asking or telling you?

  		 
   
 
     
Java, JavaScript, and ActiveX
  Browser active content is written in Java, JavaScript, or ActiveX. Why three? Java, a programming language, was (and is still being) developed by Sun Microsystems. JavaScript is a scripting language that was developed at about the same time by Netscape. Not to be outdone, Microsoft offered ActiveX, which is also a programming language, based on Windows OLE. Java and JavaScript are supported by Netscape (versions 2.0 and higher) and Internet Explorer (versions 3.0 and higher). ActiveX is only supported by IE.

Return to Contents

 
     
The Answers are: Yes, Yes, and Yes
  The questions, obviously, are: Are there any known security problems with Java? With JavaScript? With ActiveX?

Return to Contents

Active Problems

Of the three, Java has by far the most built-in security controls. There's a long list of things that (unsigned) Java "applets" aren't allowed to do when they run on your machine, including start programs, read or write files with some exceptions), or make network connections except back to the machine that sent them. They also can't format your hard drive or reboot your system. (Don't laugh; ActiveX controls can. So can signed Java applets, but those you must give permission to run.)

Like Java applets, JavaScript is designed to protect your computer from unauthorized access.

The ActiveX story is different. There aren't any built-in limitations on what ActiveX "controls" can do when they run on your computer. In fact the only "security" provision they have is an optional digital signature, with the signature certified by a "certifying authority" such as VeriSign (one of the trusted third parties involved in SSL security). The theory is that the good guys will sign their controls, so an unsigned control is a bad control. But the bad guys could sign a control (they have already, in fact), and the good guys could make a mistake. So, in practice, the signature only means you'll know who to blame.

Can they carry viruses? In theory, no for Java and JavaScript, yes for ActiveX. In practice, yes, possibly, for all of them. So far, however, there haven't been any documented cases found "in the wild" (i.e., on real people's machines).

Return to Contents

Personal Privacy Problems

While viruses and formatting hard drives sound scary, what's really scary about Java, JavaScript, and ActiveX is their capacity to be used to infringe on your personal privacy, either because of flaws in their design or bugs in their implementations in particular browsers. This is particularly true for JavaScript, because it was designed to control the browser. For example, a recent security hole found in Netscape Navigator 4.0–4.04 allowed JavaScript programs to read browser preference settings, which can include email addresses or even POP or FTP passwords. (Wondering what might be in yours? The file is called preferences.js and it's in your Netscape directory; open it in a text editor and take a look.)

Return to Contents

 
     
Have I Scared You Yet?
  I've only scratched the surface! For a quick summary of the kinds of problems that active content can cause, and a JavaScript page (oh, well!) that checks your Web browser for known security risks, see Symantec's Web Security Center's "Hostile Applets" and "Browser Bugs" pages: http://www.symantec.com/avcenter/security/applets/applets.html
Section 9. Client Side Security of the W3C's "World Wide Web Security FAQ": http://www.w3.org/Security/Faq/
has a pretty thorough discussion of Web security from the end user's point of view, and includes instructions on how to turn Java, JavaScript, and ActiveX off in your browser, if you're so inclined. I know I am! (That's also what the W3C recommends.)
Comments are welcome; please send them to
Judith Grobe Sachs, judygs@uic.edu
Illustration (c) SoftKey International Inc. and its licensors.
  
 

The ADN Connection, April/May/June 1998 Previous: Guidelines on Email Size Next: About the ADN Connection

2002-7-15  connect@uic.edu
UIC Home Page Search UIC Pages Contact UIC