"Daniel James" wrote
| Javascript and ActiveX are completely different propositions.
Not in the browser. Both are excutable code. Both are risk factors. Nearly every online attack requires javascript. Many take advantage of networking vulnerabilities, like remote desktop, dcom, etc. But all of those require javascript. The problem is not the tool. It's the fact that you're running executable code in the browser.
ActiveX is also sandboxed. It's only marked safe for scripting if it does no system access. But things happen. For instance, one time I think there were forged certs from Microsoft that were letting malicious ActiveX load. It's the same with javascript. For example, jquery has had problems in the past. Is the current version completely safe? Sure, probably. :)
People thinking like you is exactly why we have such a problem. You'd like to think the problem was all caused by something that we've eliminated. So now we can shop, bank, and do other things online with abandon, so long as we have the latest browser. It doesn't work that way. Most online attacks are now 0-days and typically bypass user restrictions. Your tax dollars fund the NSA to find the very best possible hacks. :) In addition, there are increasigly clever attacks server-side, stealing your personal info from that site you shopped at.
| ActiveX is a native-code program running without any isolation from the | underlying OS, and it can in principle do *anything*. | No. See above. There are restriction settings and certificates. I'm not saying ActiveX was safe. I'm just saying it's as safe and as idiotic as allowing javascript in the browser. The only difference is that you can't buy your plane tickets hard disks online without javascript, so you choose to take the ostrich approach and believe that it's "sandboxed".
| I never run anything online as | root -- that's just crazy).
Good. Then you're safe from all those attacks that don't get around user restrictions. The ones that no longer exist.
| > Before .Net, Java, Flash, etc there was COM | > providing relatively easy and safe wrapper components. | | Relatively easy, but not safe. The problem isn't how well it works, | it's how little one can control it.
I was referring to the functionality. Java and .Net serve to separate the programmer from direct system access, for convenience and safety. COM is similar. None of them are safe for online use, but COM is integral to Windows and provides easy object-model wrappers for many things. I've written all sorts of utilities in IE, as HTAs. An HTA is just a webpage with no security that can only run locally. Using COM functionality and an IE GUI it's amazing what one can do. I've even written an image editor and scanner interface. Whatever MS provides can be accessed.
| | > But COM/ActiveX is still a brilliant, flexible design today, as | > long as it's used offline. | | COM leaves too big a footprint on the system, for my taste. It's too | tied in to the registry, and its use makes it hard to develop truly | portable applications.
It's not tied in except to look up the typelib and DLL location when it loads. Yes, it's not portable. Nothing really is. And if you mostly just use one system, that doesn't matter. I don't prefer COM for compiled code if I can use system calls. Just as I wouldn't use Java or .Net. COM is not nearly so bloated, but it's still a wrapper that will slow things down and create dependencies. Nevertheless, in certain scenarios, such as locally run scruipted utilities, it's wonderful.
| > I'm going to give you the benefit of the doubt and | > assume you've been hanging around the barbecue, drinking, | > for most of this Labor Day Saturday. | | We don't have Labor Day, here. |
Ah. I forget. Ireland? Labor Day here is a holiday when Americans grille beef and "hot dogs", get drunk, then crash our boats.
| I don't remember clearly ... but in 2000 I was probably using the | Mozilla suite on Windows. I was already dabbling with Linux then, but I | was using Windows as my main OS. I have an image (from 2005) of the | Windows 2000 PC I was using then set up as a VM on this machine, and I | can see that Seamonkey is the default browser on that. That's a few | years after your arbitrary choice of 2000, and Mozilla Suite had been | renamed in the meantime. |
I think you must be mistaken. According to wikipedia, the first Seamonkey release was 2006. I also first tried Linux around 99/2000. Red Hat 4. Mandrake 4. Also BeOS. Interesting stuff. But then I got them all set up and realized there was no software. And BeOS was only black and white display. That was enough of that. I tried Linux a couple of times again. Still no software. Still impossible to use without console windows. Still no easy-to-use firewall that could block outgoing. Someday, maybe. Those don't seem like unreasonable demands to me.
| Anyway, MS may have won the battle, but it lost the war.
That's what we Yanks refer to as "sour grapes". :)