However, Java and ActiveX do introduce some security risk, because they can cause potentially hostile programs to be automatically downloaded and run on your computer, just because you visited some Web page. The downloaded program could try to access or damage the data on your machine, for example to insert a virus. Both Java and ActiveX take measures to protect your from this risk.
There has been a lot of public debate over which system offers better security. This page gives our opinion on this debate. Java and ActiveX take fundamentally different approaches to security. We will concentrate on comparing the approaches, rather than critiquing the details of the two systems. After all, details can be fixed.
ActiveX was developed by Microsoft. It is supported in Microsoft's Internet Explorer, and an ActiveX plug-in is available for Netscape Navigator.
The most intense public debate about security has been between JavaSoft and Microsoft. Each company has accused the other of being careless about security, and some misleading charges have been made.
Think of a digital signature as being like a person's signature on paper. Your browser can look at a digital signature and see whether it is genuine, so you can know for sure who signed a program. (That's the theory, at least. Things don't always work out so neatly in practice.)
Once your browser has verified the signatures, it tells you who signed the program and asks you whether or not to run it. You have two choices: either accept the program and let it do whatever it wants on your machine, or reject it completely.
ActiveX security relies on you to make correct decisions about which programs to accept. If you accept a malicious program, you are in big trouble.
Java security relies on the software implementing the sandbox to work correctly.
The most dangerous situation, though, is when the program is signed by someone you don't know anything about. You'd really like to see what this program does, but if you reject it you won't be able to see anything. So you rationalize: the odds that this particular program is hostile are very small, so why not go ahead and accept it? After all, you accepted three programs yesterday and nothing went wrong. It's just human nature to accept the program.
Even if the risk of accepting one program is low, the risk adds up when you repeatedly accept programs. And when you do get the one bad program, there is no limit on how much damage it can do.
The only way to avoid this scenario is to refuse all programs, no matter how fun or interesting they sound, except programs that come from a few people you know well. Who has the self-discipline to do that?
If you're the average person, you don't have the time or the desire to examine Java and look for implementation errors. So you have to hope the implementers did everything right. They're smart and experienced and motivated, but that doesn't make them infallible.
When Java security does break down, the potential consequences are just as bad as those of an ActiveX problem: a hostile program can come to your machine and access your data at will.
Java-enabled products are now starting to use digital signatures to work around this problem. The idea is like ActiveX: programs are digitally signed and you can decide, based on the signature, to give a program more power than it would otherwise have. This lets you run a text editor program if you decide that you trust its author.
The downside of this scheme is that it introduces some of the ActiveX problems. If you make the wrong decision about who to trust, you could be very sorry. There's no known way to get around this dilemma. Some kinds of programs must be given power in order to be useful, and there's no ironclad guarantee that those programs will be well-behaved.
Still, Java with signed applets does offer some advantages over ActiveX. You can put only partial trust in a program, while ActiveX requires either full trust or no trust at all. And a Java-enabled browser could keep a record of which dangerous operations are carried out by each trusted program, so it would be easier to reconstruct what happened if anything went wrong. (Current browsers don't do this record-keeping, but we wish they would.) Finally, Java offers better protection against accidental damage caused by buggy programs.
With ActiveX, this problem is made worse if you click the box which accepts all programs signed by the same person (for example, if you accept anything signed by Microsoft). While one Microsoft program may be secure, another one may have a security-relevant bug.
This problem even applies to code written by your own company for internal use. Once the plug-in or program is installed in your browser, an external attacker (who knew about the program) could write a Web page which used your internal program bug passed it funny data which corrupted the program and took over your machine.
If you're feeling paranoid, the only plug-ins you should allow are those with less than general purpose functionality. A plug-in which handles a new image, video, or audio format is less likely to be exploitable than a plug-in for a completely general animation system.
For most people, continuing to use Java and ActiveX is the right choice. If you are informed about the risks, you can make a rational decision to accept some danger in exchange for the benefits of using Java and ActiveX.
Copyright © 1997 by Edward W. Felten