Re: why microsoft choose mfc rather than wtl?
- From: Jerry Coffin <jcoffin@xxxxxxxxx>
- Date: Wed, 13 Apr 2005 17:59:58 -0600
In article <VA.00000af5.4db0c592@xxxxxxxxxxxxxxxx>,
wastebasket@xxxxxxxxxxxxxxxx says...
[ ... ]
> One is that users need to keep their browser security settings as high as
> possible to block as many kinds of possible attack as possible. In an
> ideal world the browser wouldn't support potentially insecure operations
> at all, and users wouldn't have to do this.
I hope you'll pardon my being contrary, but I have to disagree. While
security is a major concern in the real world, in anything I'd call
even close to an ideal world, browsers (and pretty much everything
else) would be entirely insecure, because security simply wouldn't be
a concern for anybody.
> The other is that your application requires the user to lower their
> security settings in order to operate (that is: to set their security
> settings lower than the maximum ... though maybe they can still be higher
> than the default). By making this requirement you are leaving the users
> in a position of lower security than they could have had if your
> application didn't make the requirement.
Yes, but IE (among others) supports security zones. This makes it
fairly easy for the user to allow operations on this particular site
but not for the web as a whole.
> Having the browser in that lower-security setting makes possible some
> attacks that aren't possible in the higher security settings. If all you
> are requiring of the users is that they allow downloading and running of
> signed ActiveX controls then the main risk is that the users will decide
> to trust someone they shouldn't, and allow (signed) malicious code onto
> their machines. That's pretty a pretty bad thing to have happen, and you
> must share some of the responsibility when it happens because it was for
> YOUR application that the browser's security had to be lowered.
This also strikes me as going overboard. I could as well blame you
the user has changed his security settings to allow absolutely
anything to happen, and you were the one who forced him to use a
browser.
Going even further, I could blame you because your application used
networking, and without it there's a possibility his computer might
not have been connected to any network at all, which would give
pretty darned good immunity to network-borne threats.
> A
> sufficiently pissed-off customer might even try to sue you for
> compromising their security with your application's settings.
He could certainly try -- but no reasonable court would hear the
case. Of course, given the state of the courts today, that shouldn't
be viewed as reassuring at all.
--
Later,
Jerry.
The universe is a figment of its own imagination.
.
- Follow-Ups:
- Re: why microsoft choose mfc rather than wtl?
- From: Daniel James
- Re: why microsoft choose mfc rather than wtl?
- References:
- why microsoft choose mfc rather than wtl?
- From: Huang Shu Huai
- Re: why microsoft choose mfc rather than wtl?
- From: Joseph M . Newcomer
- Re: why microsoft choose mfc rather than wtl?
- From: Daniel James
- Re: why microsoft choose mfc rather than wtl?
- From: Joseph M . Newcomer
- Re: why microsoft choose mfc rather than wtl?
- From: Daniel James
- Re: why microsoft choose mfc rather than wtl?
- From: Russ
- Re: why microsoft choose mfc rather than wtl?
- From: Daniel James
- Re: why microsoft choose mfc rather than wtl?
- From: Russ
- Re: why microsoft choose mfc rather than wtl?
- From: Daniel James
- why microsoft choose mfc rather than wtl?
- Prev by Date: Re: Losing UDP packets with MFC Sockets
- Next by Date: WM_MOUSEWHEEL problem!
- Previous by thread: Re: why microsoft choose mfc rather than wtl?
- Next by thread: Re: why microsoft choose mfc rather than wtl?
- Index(es):
Relevant Pages
|
