Re: RIP: ActiveX controls in Internet Explorer?

[Igor Filippov <igor () osc edu>]

It seems the patent in question covers not only client-side
executables, but server-side as well:
"Once selected the program object executes on the
user's (client) computer or may execute on a remote server or additional
remote computers"
So, not only javascript/flash/java are subjects of this copyright
but any CGI/whatnot application as well -  or am I reading it wrong ?

Igor



On Mon, 1 Sep 2003, Simon Brady wrote:

> On Sat, 30 Aug 2003, Alun Jones wrote:
>
> > The descriptions I've heard of this suggest that this patent could be
> > applied equally to prevent (or grab payment from implementors of)
> > Javascript, Java, Flash, etc.
> >
> > I'm with you on the security issues with ActiveX (and Javascript) - I
> > disable ActiveX on the principle that it has no security consideration, and
> > Javascript on the basis that it's been frequently implemented in a
> > vulnerable manner.  But this is a considerably further-reaching patent than
> > merely killing off ActiveX.  Before we sing "ding dong the witch is dead",
> > let's have some concern for the peaceful Wiccans that might be next on the
> > chopping block.
>
> Java and Flash aren't exactly free of security issues either. In fact, I 
> would go further and argue that the whole notion of a controlled 
> client-side runtime environment for remote code has been an unmitigated 
> disaster for the web (and this is solely from a security perspective - see 
> http://members.optusnet.com.au/~night.owl/morons.html for a refreshing 
> take on the usability crisis they've caused).
>
> I'm not just referring to current implementations with their appalling 
> defect rates. All client-side runtimes, no matter how well-written,  
> inherently reduce security. That's their function: to give outsiders 
> access to your machine they otherwise wouldn't have.
>
> Even more insidiously, their prevalence numbs users into a mode of thought
> that it's quite normal and healthy to let this happen. How can the
> security community promote safe browsing when users are being forever
> brainwashed into ignoring or disabling security features for the sake of
> pointless but pretty downloadable applets? How can we encourage content
> developers to reduce attack surface when fashion demands yet more
> gratuitous bells and whistles?
>
> Web applications belong on the server. The more widely this patent gets
> applied the better off the browsing public will be.
>
> --
> Simon Brady                             mailto:simon.brady () otago ac nz
> ITS Technical Services
> University of Otago, Dunedin, New Zealand
>
>     I don't speak for my employer, and they don't speak for me.