[opensource] New Web Browser
swaney.29 at osu.edu
Thu Oct 25 18:21:53 EDT 2007
ActiveX seems to work in them, but with a prompt. The nice thing is that
they added a "What's the risk?" option to the menu that pops up, to
explain (albeit vaguely) what the risk is, but it still works when
allowed. I haven't had IE6 on my XP partition for a while (well, used
it; I formatted a few times), so I don't know how it works in that one
for sure. Supposedly IE7 is safer, so I upgraded right away, although I
always use Firefox.
Regardless of what exactly ActiveX can do right now, the main purpose of
my article was the browser. The school is acting like a content
producer, in that they're afraid of what users can do with their
computers, but they're trying to make the students use them, so they
dish out restrictive software. The software, like anti-piracy
mechanisms, is not very effective at its job and if anything, merely
annoys the honest students who are genuinely interested in learning the
content. The school still offers it as an option to professors though.
If they start relying on that to stop cheating, the problem is going to
get worse, along with the frustration of students having to use this
program. My proposed solution is that the online testing without the
browser be an option, with whatever (non-ActiveX) restrictive scripts
they feel like, but secure testing be taken in person. No crapware
browser. If they /absolutely/ must have their new program, then it
should be done in some specifically designated testing zone, where it's
quiet, closely monitored for cheating, and non-admin privileges are
limited, sort of like the computers in Mirror Lake Cafe, only with
Respondus instead of IE6. No installing it on home computers, no saying
"well, if you run Linux or don't have a computer then just take it in
the lab", nothing of that sort. It won't even work.
Personally, I think some of its operating system hooks are worse than
the ActiveX installer. The browser /can/ malfunction. I'm not sure I
want to say exactly how I froze it in my tests just yet, but it can
freeze. Normally, when a program freezes, you close it with [Ctrl] +
[Alt] + [Delete], but the makers thought students "couldn't be trusted"
with that ability, so the program hooks the OS to block that and alert
you that you're not permitted to run programs such as the task manager.
I then blocked the task manager from being disabled with McAfee's access
control thing, and it saw it couldn't block it, so it closed the window
immediately (within 1/4 seconds at the most) upon opening. Now, suppose
a test's source is poorly written and the page freezes, the connection
lags, or something of that sort, the user has to shut off the computer
to escape, and probably fails the exam in the process. I know it's sort
of an unreasonable risk to consider, since almost everyone will be doing
this from a lab or dorm (on OSU's own network), making this extremely
hard to create, but what if the connection is hijacked (or browser's
built-in homepage)? I don't know what security alerts the browser pops
up, and it certainly doesn't display the URL or security certificate, so
a user could easily fall for a school-credential-based phishing attack,
and have no way of knowing it, though if someone were that determined,
the victim probably wouldn't have much hope anyway I suppose.
Even if the user doesn't have another computer or virtual machine, all
someone has to do is send them an instant message in an unrecognized
(non-proprietary) program (like Pidgin, from my example) with a link in
it, the user clicks the link, and the default browser (even Firefox,
which I'm sure is recognized) opens right up, then they type google.com
or something... and, well you get the idea. It's not very hard to open
other windows on the browser, just frustrating with the full-screen
window that hides the taskbar.
Marc Uhrich wrote:
> I'm responding to both Brian and Adams comments here.....
> What Paul means by "context of your username" is the permission
> structure of the user account logged onto the computer at the time. For
> example, if you logged into a lab computer where there are a lot of
> restrictions the code the active X control runs will be limited by these
> restriction. If you are running your computer with administrator
> privileges, like most windows users, the active X control can do *pretty
> much* anything it wants.
> This is a fundamental issue between convenience and security. Active X
> controls allow people to write really sophisticated web applications,
> but opens them up to severe vulnerabilities. Microsoft has figured out
> this glaring security hole and made some attempts to mitigate it in IE
> 7. As far as I know, IE 7 on both Windows XP and Windows Vista
> disables Active X controls and disables the prompt to install them.
> Prior versions prompted but naive or uninformed users would just click
> yes to make things work and circumvent this control. It's nice to see
> that they might limit active X code in IE7+ instead of just "hiding it".
> To be honest, I haven't been following it much.
> All of this reminds me of the famous quote in Spiderman "with great
> power, comes great responsibility". Using the countless spam messages
> and continuous net attacks we get here at the Graduate School as an
> indicator, I don't think the general internet community is, or will be,
> ready for the responsibility.
> Marc Uhrich
> Systems Engineer @ OSU Graduate School
> 247 University Hall, 230 N Oval Mall
> Columbus, Ohio 43210
> (614) 292-0600
> -----Original Message-----
> From: opensource-bounces at cse.ohio-state.edu
> [mailto:opensource-bounces at cse.ohio-state.edu] On Behalf Of Adam C.
> Sent: Thursday, October 25, 2007 2:33 PM
> To: opensource at cse.ohio-state.edu
> Subject: Re: [opensource] New Web Browser
> Wow. I thought ActiveX scripts ran in a "sandbox" within the client's IE
> browser, like Java applets do in any browser. I know IE 7+ in Vista
> places restrictions on scripts and "active Web content", but users of
> previous Windows versions can't download IE 7+! So other versions of IE
> run ActiveX scripts with the user's permissions? Yikes.
> I can think of many ways these "features" can be abused, and potentially
> open up security vulnerabilities...
> Paul Betts wrote:
>>> but how does it "lock down" students' *entire* interaction with the
>>> OS (e.g., prevent them from closing or minimizing the browser)?
>> If they're running their own ActiveX control, they can do *anything
>> they want*. They are running arbitrary C++ code in the context of your
> Opensource mailing list
> Opensource at cse.ohio-state.edu
> Opensource mailing list
> Opensource at cse.ohio-state.edu
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opensource