WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Like what you see? Get it in one document for easy printing!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Google
Web CertiGuide






Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.3  The Web

Previous Topic/Section
2.3.4.1  Java Script
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 2.3.4.3  Buffer Overflows
Next Topic/Section

2.3.4.2  ActiveX
(Page 2 of 2)

ActiveX and Digital Signatures



In the ActiveX model, the programmer can write code to do whatever they please. The emphasis is not so much on prevention (since a control downloaded from any arbitrary web site is free to do whatever it wishes on the user’s computer), as it is on using digital code signing (discussed in 2.3.4.5) to enable a victim of an ActiveX-based attack to determine who was responsible for it and to go after them. Think of this process as a digital signature to verify the origin of the component. This is not necessarily the best model for secure client/server communications in situations where the client has any reason to distrust the server (read: most Internet web browsing).

One reason this doesn’t help security much is that there are plenty of things an ActiveX control can do to compromise the security of a client machine (like read data off the user’s system and send it up to a web server), that users typically cannot even detect – what good is accountability, if users never suspect there’s a problem? The other reason is that while digital signing guarantees that someone proved their identity to the some certifying organization, there’s no guaranteeing that the certifying organization was someone other than a random geek in a basement with a signature-generating program on his PC, or that the user will even bother to check to see that the source of the digital signature was a respected site.

Checking Site Certificates

Do you check site certificates when making secure connections, and ActiveX control security information when you surf to a web page that wants to download an ActiveX control? If so, good for you. If not, we figured that.


Because ActiveX controls are distributed to client machines as compiled code which is effectively unreadable by curious users (as opposed to Java Script’s text or Java’s somewhat-reversible “byte code”), they provide an additional level of intellectual property security – it’s more difficult for someone to steal your fancy new button lighting effect and adapt it for their own purposes, if they can’t see the code.

Update --- Bagle Worm Variant released in March, 2004 is in email that is not an attachment.217

ActiveX

ActiveX is a Microsoft technology for creating small executable programs, called ActiveX controls, which are downloaded from web servers and run on client PC’s.

ActiveX uses digital code signing in the form of a digital certificate (usually signed by a trusted authority like VeriSign) to identify the origin of the control. The digital signature identifies the control’s source, so that you know whom to blame if a problem with the control is encountered, but does not guarantee that the functionality of the control is not malicious.


Quick navigation to subsections and regular topics in this section



 __________________

217. http://www.eweek.com/article2/0,1759,1550841,00.asp

Previous Topic/Section
2.3.4.1  Java Script
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 2.3.4.3  Buffer Overflows
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.