Closed Bug 303533 Opened 19 years ago Closed 19 years ago

InActiveX - secure (sandboxed) ActiveX implementation for Firefox

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: billyeakk, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 <p align='center'><b>=========ActiveX in Firefox=========</b></P><P> I know everyone's gonna rant about how this will open up 50000 holes, and the likelyhood of Mozilla implementing such a thing is about as slim as a worm but just to share an idea:<P> I propose an implementation of ActiveX called '<u>InActiveX</u>'. This will run inside a 'sandbox' of sorts with priveleges specified by the user through an 'Options' menu or something (like Java uses a sandbox for their applets and it's pretty secure too). Here's how it will work:<p> Firefox scans to see if the site uses ActiveX<br> then<br> Firefox scans to see if there is a JavaScript/Java alternative instead of that ActiveX<p> As soon as Firefox knows there's ActiveX components, it prompts the user. An ActiveX component WILL NOT BE DOWNLOADED until the user clicks 'OK'. There is no bypass to this, as the 'Temporary ActiveX Controls' folder will be LOCKED during this process. <p> Since few average users actually read the whole 'Not Digitally Signed' thing, a dialog simply asks the user:<p> <b>=[InActiveX Permissions] =============</b><br> Do you want to use the ActiveX control on this webpage? The control will run inside the sandbox that keeps it separate from the operating system. If you would like to set Sandbox options, go to <br> Tools > Options > InActiveX > Sandbox<p> <strong>Here's what other users have said about this control</strong>:<br> <i>[Now this is the most important part because it shows comments left by users, WHICH AVERAGE USERS WILL ACTUALLY READ. If a user says "It's a Virus!" and marks it with a 'Virus' flag, the average joe will read it. The user can determine a control's safety if there are enough 'malware' flags and can post their own.]</i><br> <b>===============================</b><p> If the user still wishes to use it, he/she must click ok, which is not the default selection. The position of the 'OK' button changes so no malware can auto-accept. <b>IF THE CONTROL HAS MORE THAN 50% 'BAD' (spyware, adware, malware, virus) FLAGS FROM USERS, THEN THE USER IS FURTHER PROMPTED FOR SECURITY REASONS</b>. Once the control is downloaded, the user uses it. Once the user leaves the domain, the control is SECURELY DELETED (deleted and overwritten on disk). <p> <b>Sandbox options dialog where users can configure Sandbox options (all options are checkboxes)</b>:<br> Allow incoming connections, <br> Allow data to be written, <br> Allow data to be read, <br> Allow outgoing connections <br> Spoof User-Agent as IE for Download (important because some sites only allow IE to get ActiveX)<br> Preserve my Settings <br> (I have more, but I'm too lazy) The user can also customize the sandbox for individual sites.<p> -----------------------------------<br> I'm sure if you can implement 'InActiveX', people will say 'Hey, MORE sites work with with da Fox' and maybe people will shut up and stop saying "But I need IE to visit Windows Update!!!". InActiveX WILL BE a show-stopper for Microsoft, trust me.<p> <b>Do you have any suggestions on how to make a secure InActiveX? Post them here!<b> Reproducible: Always Steps to Reproduce: 1. Go to http://windowsupdate.microsoft.com/ in your Mozilla Firefox browser. 2. Wait for page to load. 3. Be dissatisfied with lack of ActiveX Actual Results: So get a message that looks like this: Thank you for your interest in obtaining updates from our site. To use this site, you must be running Microsoft Internet Explorer 5 or later. To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website. (Obviously Micro$oft closed off the site to non-ActiveX browsers) Expected Results: It should've showed my the Windows Update screen, but noooooooo, I get this big error, and with an IE 6 spoof, a big blank. No update. No happy. Now, I know that 'ActiveX' support was scrapped from Firefox because it was 'insecure'. The very framework is 'insecure'. The ver premise is to make the browser ****. But all these can be fixed with the help of open source (however since the Microsoft ActiveX code is closed, we'll have to build one of our own, assuming Microsoft will even let us HAVE the code). I'm pretty sure we can do it, and if we do, that would be the greatest milestone in Firefox...let me emphasize that. GREATEST FREAKING MILESTONE: The Day People Could Update Windows on Firefox. It would also shut up many people who say Internet Exploder is better because it can use ActiveX (but THEIR implementation is BS). With InActiveX on our hands, we could pretty much WIN the browser wars for sure. I guarantee that, at the very least :P
Assuming for the moment that you could make an entirely secure and sandboxed ActiveX implementation (by the way, Java isn't as secure as you think it is), what would be the advantage? What site has used ActiveX in any useful fashion that doesn't intrude on the user experience and promote the horrendous way people tend to write websites right now? What whizbang feature on a non-MS site is actually needing ActiveX? Is it something that is truly worth this, because I am not seeing how this could possibly be a good idea in any way. I just don't see the advantage. For the record, you can still update windows without using IE or ActiveX, you are just required to use the hotfixes instead of the automatic updates (which you should be using anyway, since then you can review the changes each update makes).
If it was possible to run ActiveX in a sandbox, why isn't Microsoft using that technique ? Why has no other company every thought about that ? The reason why Java can be run in a sandbox is that it's not machine code. That's a lot easier to secure (but still not perfect enough, Java-spyware and malware also exists).
What sites do use ActiveX in a tolerable fashion? Mostly Microsoft sites (of course, that is expected since they were the ones who came up with this whizbang) but also my LogMeIn Remote Computer account (they have a Java implementation too, but that's slow as heck, ActiveX version is speedy and has more features). I think people would stick to Firefox though if it had InActiveX, because it would be a pain in the **** to validate Windows by downloading something, just about every download on Microsoft requires some sort of ActiveX. So now we have 2 sites that use ActiveX, how about those anti-virus scanning sites? Now I know a lot of people already have anti-virus, but people have tried the Online Scans before just to see how AntiVirus 1 compares to AntiVirus 2. 3 (or more) sites now. But honestly, it's not about what ActiveX IS doing, it's what it COULD do with an extra 10% userbase. On a side note: I know it's impossible to completely remove IE from one's computer without screwing up something else, but IE advocates use 'ActiveX' as an excuse to keep that browser. On antoher side note: MSN Groups, the service I use for a community, uses a post system that doesn't work in firefox, IE spoof or not. I think that might be ActiveX too, or just screwed up Javascript code. Plus the customization drag-and-drop content panels thing doesn't work in Spaces, and when trying to fix up your My MSN page. On antoher side note: Gmail, as far as someone has told me, also has an ActiveX version, but they give Firefox a Javascript version. While I'm not wholly concerned, I think there might be advantages to the ActiveX version, or else Google could just give Javascript to everyone. Next, I think Java might not be secure, but it is slightly more secure than other programming languages (and less secure than some, but still pretty much secure) by default. It, just like Mozilla Firefox, is built on a security framework that prevents programs from bypassing bytecode verification and such. In Java 1.2 applets, servlets, JavaBeans, and even full out Applications can be configured with custom security levels. It's not perfect, but nothing is. But this isn't about Java, this is about Firefox (*kicks self*). Why can't we make an ActiveX non-machine-code version (is ActiveX machine code in the first place? If not we can just remodel the framework and it will be secure)? I'm not sure WHY Microsoft hasn't thought of that, but they sure haven't thought of anything really innovative in quite a while either :P So let's recap and say some more: Advantages: - c|net cites lack of ActiveX support as a flaw in Firefox, see http://reviews.cnet.com/Mozilla_Firefox/4505-9241_7-31117280.html and view 'The Bad', and we want less flaws right? - if we make a secure ActiveX, it will encourage competitiors, even MICROSOFT itself to make secure versions of relatively insecure programs and shows that anything can be made secure. It prooves we DON'T sacrifice functionality for security, we make both. - it's the main argument for IE advocates, we want them to switch - ActiveX is useful AND COULD BE USEFUL on many sites, mostly Microsoft. But the lack of ActiveX support on that sites I visit makes me use the 'IEView' extension more than I'd like. Microsoft is a big company, and I sort of use their widespread services a lot. - java is very secure, not perfect though. (*kicks self again*) Disadvantages: - this could only be an advantage IF and OLNY IF the user pays attention to the dialog box (likely). This is likely because, as a Download.com user myself, i always look at ratings (even if not the actual comments) before I download something, or take word of mouth. This applies to the hundreds of users everyday as well. With my system, rejection of bad ActiveX is, in theory, pyschologically guaranteed. Summary: Implementation of InactiveX is one of those things that is neither necessary, nor unnecessary, but more of a want (Microsoft is a monopoly, people use their services alot, thus people get suckered into their closed-source ActiveX and shun Firefox). I am a forum explorer, and i know how often people cite ActiveX support the first time they use Firefox, and that's the last time they ever hear of Firefox (IE switchers). If Mozilla is willing to make the transition from Internet Exploiter easier on potential FF customers, InactiveX will make IE users feel right at home.
> But honestly, it's not about what ActiveX IS > doing, it's what it COULD do with an extra 10% userbase. Microsoft had about 95% userbase a few years ago. If Noone was encouraged to write any decent activex things then, I don't see why putting our userbase in would sway matters. > - c|net cites lack of ActiveX support as a flaw in Firefox Some sites cite having ActiveX as being a flaw in IE My thoughts on this are that what you propose is extremely difficult. The reason that java is more secure is that it was built from the ground up to be run from a security sandbox. Java applets cannot call system functions except through the java runtime which runs security checks on every applicable call. To get that kind of security in activeX you would have to somehow intercept all calls into the OS that the app makes. Im no expert but I expect that that is either impossible or likely to slow the control down to below java speeds. As you say, activex is closed source it's not like we even have Microsoft's code to look at here.
(In reply to comment #5) > Microsoft had about 95% userbase a few years ago. If Noone was encouraged to > write any decent activex things then, I don't see why putting our userbase in > would sway matters. Who said nobody wrote 'decent' programs. Many companies did. Except that all the decent programs, however many there are, are outflanked by not-so'decent' ones. The decent ones though, end up getting the spotlight in the end, but are marred by the bad reptutation of Microsoft's ActiveX support. > Some sites cite having ActiveX as being a flaw in IE That's because they DON'T have a secure version. P.S. Before anyone asks, this concept is also on SpreadFirefox.com in the wrong category, also written by me. :)
(In reply to comment #4) First off, please make paragraphs, this is really hard to read. > just about every download on Microsoft requires some sort > of ActiveX. Only Windows Update requires ActiveX. WGA authentication and the legitimacy check for downloads are both able to work in FF just fine due to them using Javascript, not ActiveX. > But honestly, it's not about what ActiveX IS > doing, it's what it COULD do with an extra 10% userbase. The only thing I see happening with the userbase of ActiveX increasing is not a good thing. ActiveX (the entire idea behind it, and the way it works, I'm not talking about the implementation) is insecure. It is a horrible horrible idea. I don't even want to fathom how much more broken things would be right now if more sites used ActiveX (IE or no). > On a side note: I know it's impossible to completely remove IE from one's > computer without screwing up something else, but IE advocates use 'ActiveX' as > an excuse to keep that browser. Most IE advocates are also idiots. Most of the ones I have talked to either A) Knew what they were talking about and presented some valid points, that while I refute them, that work for them or B) Had no freaking clue. None have mentioned ActiveX, so your entire point here is moot. Not to mention, like I said, most IE advocates are idiots, enough said. > or just screwed up Javascript code. Ding! Ding! Ding! > Plus the customization > drag-and-drop content panels thing doesn't work in Spaces, and when trying to > fix up your My MSN page. This might be a workable bug for either a workaround or evangelism. > On antoher side note: Gmail, as far as someone has told me, also has an ActiveX > version, but they give Firefox a Javascript version. While I'm not wholly > concerned, I think there might be advantages to the ActiveX version, or else > Google could just give Javascript to everyone. I've never seen this ActiveX version. Gmail on IE looks like it still uses Javascript to me. Also, most of the persons using Gmail that I know don't even use the web interface, they use it as a free 2GB POP3 box. > > Next, I think Java might not be secure, but it is slightly more secure than > other programming languages (and less secure than some, but still pretty much > secure) by default. I'm not going to get started on language wars, but I think the idea of trying to increase security by dumbing down programming is generally a bad idea. For the record, dumbing it down to 'increase security' doesn't work. > *snip* I think this should probably be WONTFIX, but I am going to go ask somebody who has seniority on me to take a look at it. I don't want to turn Bugzilla into a foundation for arguing the pros and cons of different sorts of languages, so this might be better suited to a third-party extension that could be argued about on MozillaZine.
This doesn't belong in the security component, definitely. Moving to General since I don't see anything that better fits.
Component: Security → General
<-WONTFIX
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
Most of the examples of legit ActiveX you cite, such as virus scanners and Windows Update, would not work in a sandbox. We're not going to create a security UI for the Win32 API so users can specify what ActiveX controls are allowed to do. Firefox is a web browser, not an operating system.
Component: General → Security
Summary: InActiveX - SECURE ActiveX implementation for Firefox → InActiveX - secure (sandboxed) ActiveX implementation for Firefox
You need to log in before you can comment on or make changes to this bug.