More on ActiveX vs. Java Security

My last essay on trusting your next downloads got lots of mail. Half of it was bounced messages from AOL and CompuServe: apparently both had either MX or DNS problems last Saturday when the issue went out. (If you didn't get your issue, check the link above to read it before proceeding.) But the more interesting half were people telling me that I ducked the issue about the relative safety of Java vs. Active X.

Yes I did duck the issue, mainly because I don't have the skills to really evaluate their differences. But many of you do, and wrote unanimously to tell me that Java is head and shoulders better. Some of you even included some facts to support your opinions.

All of this reminds me of the November 1989 debates over Ring 0 between Microsoft (OS/2 LAN Manager back then) and Novell's NetWare 386 server operating systems. Back then we had each company trying to show how insecure the other's OS was. But I digress. Here are some comments (printed with the authors' permission).

First, Bob Denny, author of WebSite and last seen here at Web Informant #50, writes:

David, you took the position in your last Web Informant that that everything is dangerous, and that ActiveX is just as good/bad as the other stuff (plugins, Java, etc.). You are wrong: Java is far safer than ActiveX. It was when it was first released last year, and it is even more so now with the Java Development Kit 1.1 release.

I would download and run an unsigned Java applet without hesitation. I won't run ANY ActiveX applet on my machine, even signed ones, unless they are signed from someone I trust.

Trust is a squirrelly notion. A real security policy is a matrix of assertions and capabilities. The more you trust the thing, the more you permit it to do. Microsoft's assertion is that if it looks trustworthy let it have free rein. I don't buy this at all -- I have to depend on my machines to get clean code written every day.

So whom do I trust for delivering ActiveX applets? Basically, Microsoft and a few others. How can I trust J Random Developer? More to the point, doesn't this create an oligarchy with Microsoft at the top? How does J Random Developer get me to use his applet? Just because he signed it doesn't mean it doesn't have bugs that can cripple my system or Trojan horses that can do other nasty stuff.

How does Java work? If I write a Java applet, this code passes through a sanitizer/verifier before the Java Virtual Machine even tries to execute it! There are no pointers in Java, so there's no way to inject sneaky code. The Java machine code is scanned at applet-start time to ensure that it does not contain any funny stuff that could affect its integrity.

Once this applet is delivered to a browser, there are safeguards that Microsoft and Netscape put into their browsers' Java SecurityManagers. These SecurityManagers MUST be started prior to any applet code being executed. This object filters "potentially dangerous" operations and denies some set of them. What is denied is up to the browser implementer.

The Java designers saw at the outset that it was absolutely essential to first create the means of controlling what rights a downloaded, untrusted applet has. They knew all along that a trust-assignment system was also needed, but they decided to attack the tough problem first (Java has code signing now as well). So Java operates in a controlled environment, and the client/browser implementor (Microsoft, Netscape) controls what rights any applet has. The limits on Java applets are set by policy and NOT by the Java's basic design.

This is today's technology. It's good!

Now let's look at ActiveX. You said "Microsoft says you wouldn't pick up a random floppy off the street and run the software on it, so why should you do so with an untrusted application?"

Microsoft is right but their argument does not apply to Java, only to ActiveX. There are no permissions or safeguards on what an ActiveX control can do. Instead, Microsoft had to implement this code signing business to establish a trust level. The exposure to damage by ActiveX applets is not controlled at all, unless you, the user decide not to run something on your machine. They have no intrinsic safety system.

Microsoft has demoted Java into a Common Object Model implementation language. Meanwhile, JavaSoft is silent and continues to let Microsoft pick the arena and the set the terms of the battle. In the meantime, you and the rest of the trade press go along with what Microsoft says and tar Java with the same ActiveX security brush.

Thanks Bob. Turning to Bob Matsuoka, president of The Soho Internetwork Co., an all-NT ISP (so you know he thinks highly of SOME Microsoft technology):

Microsoft, with its efforts to push their "windows-centric" Internet, has consciously taken a step backward to reduce security problems associated with net-based computing, compared to efforts by Netscape and Sun.

ActiveX, OLE by another name, is an extension of desktop and LAN-based computing. It works best in a closed environment with known security. Java has been (re)written as an Internet technology. Its "sandbox" mode is far, far more secure than ActiveX.

My point is that Microsoft should be more forthcoming about ActiveX. Their continual statements to the effect that "yes, it has security holes but so does Java and Plug-Ins" is disingenuous at best. The naive user (as you so well pointed out) can not use them safely over the web, while Java applets can greatly enhance anonymous network computing. This is a crucial difference in technologies! We look at ActiveX in the same way we do Visual Basic. It's a great technology but has no business on the Internet.

Thanks Bob #2. John S. Quarterman, a long-time Internet analyst and author and President, Matrix Information and Directory Services, weighs in with this caution: "Microsoft has become an "authority" on the Internet, largely because people use its sloppy software. Like IBM before it, the Microsoft name sells, and its mistakes tend to slide off onto innocent bystanders or onto the substrate, which in this case is the Internet."

Finally, I leave you with a comment from Yusuf Mehdi, the product manager for Microsoft's Internet Explorer. "On average, I think Java is safer than ActiveX."

I thank you one and all for your letters.

David Strom
+1 (516) 944-3407
back issues
entire contents copyright 1997 by David Strom, Inc.