October 7, 1996
How safe is surfing the Web?
By Bob O'Donnell
Like most people involved with technology, I scour the Web on a daily basis looking for
news and other information that helps me with my job and piques my personal interests. The
process seems perfectly innocuous -- I enter an URL in my browser and click on links to
jump around from site to site.
The problem is, as sites add more eye-catching "features" -- such as Java
applets and ActiveX controls -- a lot more is happening on my PC that's beyond my control.
Unbeknownst to me and without my requesting them, tiny applications and other chunks of
code are being brought into my computer, executing and performing operations. Thankfully,
the overwhelming majority are harmless little gimmick apps, but the potential is there to
cause major destruction of your data -- just by visiting a site or clicking on a link.
Of course, this isn't anything new -- the capability to run Java applets has been built
into Netscape's Navigator for some time (as has the ability to turn off Java applets).
Also, I realize that Java applets are "sandboxed," which essentially means they
cannot write to disk and, at their worst, can only cause a machine to lock up. But with
the recent release and wide acceptance of Netscape's Navigator 3.0 and Microsoft's
Internet Explorer 3.0 -- which support Navigator plug-ins and ActiveX controls,
respectively -- all bets are off. Navigator plug-ins and ActiveX controls can write to
disk, as well as perform other low-level operations, and could potentially spread viruses,
erase your drive, or cause any number of other problems. The now infamous Internet
Exploder ActiveX control, for example, will shut down Windows 95 machines with a Power
Management BIOS as soon as you click on it. You can check out the site, without clicking
the notorious control, by linking to http://www.halcyon.com/mclain/ActiveX/welcome.html#activex.
All the companies involved claim to have solutions that address these problems, but I
remain unconvinced. Microsoft, for example, is touting its Authenticode technology,
which allows software developers to "sign" their code and lets users know that
the ActiveX control in question was, in fact, created by whomever said they had and hasn't
been altered since the verification process. The authentification process does not,
however, tell you whether or not the code is safe or free from viruses.
Microsoft maintains that clearly identifying the publisher will deter individuals from
creating rogue controls. According to the company, publishers could easily be found and
presumably sued in the event a control caused catastrophic damage on an individual's
machine or a company's network. (Interestingly, the process hasn't deterred Fred McLain,
the creator of Internet Exploder; he recently had a certificate created for his control.
This means that if a user has set the Security setting in Internet Explorer to medium --
the default is high -- Explorer will download and run Internet Exploder without a warning
on a page or link that contains it, with the resultant effect.)
The bottom line with Authenticode (assuming everyone even decides to adopt it -- which
is a whole other issue) is that each user has to decide whether they trust the company
that's created the control. Although that sounds fine in theory, it basically means that
most people will only download controls from the big, well-known vendors. Where does that
leave the little companies that often offer the great innovations? It also creates a false
sense of security because even Microsoft has inadvertently sent out finished products with
viruses.
Netscape isn't really any better on these security issues. The company highlights the
fact that Java apps are sandboxed, but seems to ignore the possible security problems
surrounding Navigator plug-ins. Netscape has announced plans to support the X.509
certificate standard that Microsoft used as the basis for Authenticode, but in the
meantime offers no concrete solution. Besides, forthcoming extensions to the Java language
will allow Java apps to reach outside the sandbox, so the primary crutch will soon
disappear.
The sad truth is, there's no easy answer for ensuring that Web browsing is a safe,
secure activity, short of turning off all Java applets and ActiveX controls -- which seems
a bit extreme. Even worse, as the Web evolves into a huge network distribution system for
more software components, I'm afraid the problems will only get worse. I certainly don't
intend to stop my surfing sessions as a result of these concerns, but from now on I'm
going to look both ways before I click on a site.
©
Copyright 1996, by InfoWorld Publishing Corp., a
subsidiary of IDG Communications, Inc. Reprinted from InfoWorld,
155 Bovet Road, San Mateo, CA 94402. Further reproduction is prohibited.
