Re: why microsoft choose mfc rather than wtl?

In article news:<a50m511vm142e3mdqni64qmnv9o6nbbkd9@xxxxxxx>, Russ wrote:
> Daniel, thanks for your comments. It seems that your points hinge on
> the ability of someone to spoof my website and convince our customers
> to lower security settings, etc.

There are two issues, really.

One is that users need to keep their browser security settings as high as
possible to block as many kinds of possible attack as possible. In an
ideal world the browser wouldn't support potentially insecure operations
at all, and users wouldn't have to do this.

The other is that your application requires the user to lower their
security settings in order to operate (that is: to set their security
settings lower than the maximum ... though maybe they can still be higher
than the default). By making this requirement you are leaving the users
in a position of lower security than they could have had if your
application didn't make the requirement.

Having the browser in that lower-security setting makes possible some
attacks that aren't possible in the higher security settings. If all you
are requiring of the users is that they allow downloading and running of
signed ActiveX controls then the main risk is that the users will decide
to trust someone they shouldn't, and allow (signed) malicious code onto
their machines. That's pretty a pretty bad thing to have happen, and you
must share some of the responsibility when it happens because it was for
YOUR application that the browser's security had to be lowered. A
sufficiently pissed-off customer might even try to sue you for
compromising their security with your application's settings.

The issue of spoofing is largely independent of this. Someone could spoof
your site -- or any other site, regardless of security settings -- with a
site that asked the user to change their settings to insecure levels. My
point was that you should not dictate securiy settings to your customers
-- and you should go on record as saying that security settings are a
matter for the customer and that you recommend the highest possible
setting ... that way nobody can blame you when the a user selects too low
a security setting because you are on record as saying that they
shouldn't.

> I really think this is a matter of customer education.

Yes, it is. When your customer is educated he will establish a security
policy that is appropriate for his needs ... and your application may not
be able to run if it relies on ActiveX controls. Even signed ones. This
is a very proper response for the user to make in a hostile world, and
you need to structure your website so that it can work without reduced
security -- or accept that you will lose customers.

> But I am not at all convinced that spoofing our site and fooling
> anyone to accept a bad file would be that easy.

It isn't all that easy ... but the Bad Guys are quite good at what they
do. I don't know what your business is, not how hard your site would be
to attack, nor how valuable it would be to an attacker to compromise your
users' machines and possibly gain unauthorised access to *your* systems
through those machines. The banks are pretty technically sophisticated
and yet attackers have managed to perpetrate some quite widespread frauds
through "phishing" attacks ... but, being banks, they're quite obvious,
prime targets.

Note that it may not be necessary to spoof your actual site, an attacker
might send an EMail pointing your users to a download site that looks and
feels like (a small part of) your site and get them to download the
malware there. Note, also, that it doesn't have to be *your* site that is
spoofed, the mere fact that you require the user to run at sub-optimal
security levels may be enough to enable an attacker to spoof a
*different* site. Note, finally, that the real value to *you* of not
requireing reduced security is that you can advise the users to set their
security to the maximum and wash you hands of any problems they may
encounter by not doing so. The most effective attacks are not always
techical ones, nor are the most effective defences.

> The bottom line though, for me, is that Microsoft has provided tools
> that allows us to deliver a business application to clients who only
> need a web browser and the ability to install a fairly simple piece of
> our software. The ability to update that software
> 'semi-automatically' during normal use of that product is a big
> advantage. I don't see the danger as anywhere near as threatening as
> what can happen to the buyer of an automobile if he does not heed
> safety warnings.

That's a good parallel ... Microsoft provide a number of technolgies that
are -- for the most part -- in and of themselves harmless. If you use
those technologies in ways that are ill-advised and harm comes to you or
to your customers because of it you have only yourself to blame. Just
because there is no specific notice against something, that doesn't make
it a good idea.

In just the same way that you *can* use the cruise control of your car to
keep it running while you take a nap, you *can* run your browser with no
security so that you can run every control on every website you find ...
that doesn't make it a good idea!

> I don't think many people would say that it is unethical to deliver
> an automobile to customers because it is possible for them to kill
> themselves with it.

Your point being ... that Microsoft shipping a browser that can be
configured to be insecure is no more unethical that it is for Ford to
sell cars that can be crashed? That's true, but there are some
differences, in particular: Nobody is allowed to drive a car without
learning to drive and obtaining a licence, but anyone is allowed to run
(and, indeed, to set up and configure) a computer -- so there is a
presumption that drivers know what they're doing that cannot be made of
computer users.

> There are some things that cannot be done with HTML. I don't know
> about Java, but I suspect the same thing is true.

Java running in a browser does not give you the full power of the Java
language -- for security reasons <smile>. If you can't do what you need
to do in Java that should be a fair indication that whay you're doing is
risky and that you shouldn't be doing it at all.

> My Activex control is for the purpose of printing reports. It parses
> a downloaded reports file and sends the individual reports to the
> clients printer (s).

I'm sure you *can* do that with Java -- though I don't see why you can't
do it in HTML ... the report might be a little less pretty but at least
you'd have no security worries.

Alternatively, format the report on the server as an Acrobat file and
download that, and let the user print it how he likes.

> Well, that's about all I have to say on the subject. Perhaps it gives
> you some things to think about. I know your comments made me think
> about it more.

It's an interesting topic ... made more so by the fact that there are a
lot of things we can do with computers -- and especially with the
internet -- today that would probably never have been made possible if
security had been higher on the agenda in the technology's formative
years. Sorry I haven't time, right now, to discuss it all further.

Cheers,
Daniel.



.

Relevant Pages

  • Re: Unable to download/run ActiveX controls
    ... Your current security settings prohibit running Active X ... Test Your ActiveX Installation ... change the security settings for this zone? ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: MailMerge and Outlook Security Warning
    ... > We had this issue before and were able to give our customers a workaround ... The work around was to use the Outlook Security ... > template and customizing the security settings for particular users. ...
    (microsoft.public.word.mailmerge.fields)
  • Re: Big Security Permission Mistake - Please Help if You Can
    ... Reset Security Settings Back to the Defaults ... security template to be applied. ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: IE7, New User on Terminal Server
    ... When you create a new user on the TS, the profile is being created with more restrictive security settings than what the existing accounts have. ... This can cause a mapped drive to be considered in the Internet zone when accessed from 2003 whereas it is considered in the Local intranet zone under XP. ... If after verifying that the share is running in the correct zone you still are unable to run the program, check the security settings for the zone. ...
    (microsoft.public.windows.terminal_services)
  • Re: enable outlook security.oft to allow programs to send email wi
    ... there is a limit to how many addresses you can specify for "Security Settings ... > items in the Outlook Security Settings folder, ... >> Exchange server you are running against is an Exchange ...
    (microsoft.public.outlook.program_forms)