W3C home > Mailing lists > Public > w3c-wai-ig@w3.org > October to December 2003

Re: NIH self-reading Web site

From: David Woolley <david@djwhome.demon.co.uk>
Date: Sun, 26 Oct 2003 19:28:02 +0000 (GMT)
Message-Id: <200310261928.h9QJS2H07333@djwhome.demon.co.uk>
To: w3c-wai-ig@w3.org

> I am certain that the web site is fine.  The reason the controll is flagged
> as unsafe is most likely a caution more than anything else.

That is how one gets compromised by internet worms.  An Active-X control
that is unsafe for scripting means that a script from a web site can make
permanent changes to your system, or retrieve private data, by using
that control.  It means you must have trust the people running the web
site and trust that it really is the web site you intended; a minimum
requirement for the latter is using SSL (https), but most people don't
actually know how to use that securely (but this use of SSL is why the
trusted zone in IE can be restricted to SSL sites).

A significant proportion of Microsoft security vulnerabilities are
the result of Active-X scripts that should have been marked unsafe
for scripting but were not.  In fact, the main security reason for
disabling scripting these days is because you can't run a control
that should have been marked unsafe, if you don't use scripting at
all.

A most fundamental rule of security is never disable a security measure
just because someone tells you to; if you are unlucky they are attempting
a social engineering attack, but, otherwise, they may well not 
understand the implications of what they are doing and be doing it
because it is convenient.
Received on Sunday, 26 October 2003 14:40:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 July 2011 18:14:12 GMT