Bad
Web Design - ActiveX
by: Richard Lowe, Jr.
ActiveX uses an interesting method for enforcing security
... it doesn't. Well, that's not exactly true. What
happens is when a web page requests an ActiveX control
the browser determines if that control is already
loaded onto your system. If it is the ActiveX control
is executed. If not, the user is asked if it is okay
to install the control. Additional information about
where the control came from and it's security implications
is also included.
The theory behind this security model is the user
knows what's best for his system. In my humble opinion,
this is pure hogwash (a stronger expletive came to
mind but this is a family site). Is your average web
surfer really knowledgeable enough to make a decision
like this? Look at it this way, by installing an ActiveX
control you are assuming it is secure, won't damage
your system and is bug-free. You are basically trusting
completely the company which created the control,
the developers and the people distributing the image.
Yes there are security certificates involved, but
those are relatively easy to get. Also remember how
many security problems have been reported involving
ActiveX controls.
I don't know about you, but when I get that little
box stating a site wants to install an ActiveX control,
my first impulse is to hit the NO box, quickly followed
by the BACK key. This may seem a bit paranoid, but
I use my computer all day long and I depend upon it
for business and pleasure. Why would I want to put
it at any risk for some silly little ActiveX control?
The web is a huge place and there are plenty of other
sites to look at.
My advice to anyone is generally don't allow ActiveX
controls to be installed from anywhere except for
really big sites like Microsoft. It's just too difficult
to judge how safe or unsafe the control happens to
be.
How is this different from Java? Well, Java has an
entirely different security model which does not make
the assumption that the user has been educated about
the specific Java applet. Java sets specific rules
to what an applet can and cannot do, and generally
these rules do an excellent job of preventing damage
to a system (there have been bugs but no where near
as many as with ActiveX).
On top of the security concerns, ActiveX only works
in Internet Explorer. Yes, I know there is a plug
in for Netscape but it's slow and not very usable.
Besides, most Netscape users don't have it installed.
If you are designing a web site, please consider this
very carefully. If you include ActiveX controls you
are losing as many as 50 percent of your visitors.
Perhaps more, depending upon your market. Is any functionality
that you might gain worth that cost?
Of course, if you are creating an Intranet (a web
local to a company) then by all means use all of the
ActiveX controls that you want. In this case, you
have far more control over the user environment that
you have on the web.
About The Author
Richard Lowe Jr. is the webmaster of Internet Tips
And Secrets. This website includes over 1,000 free
articles to improve your internet profits, enjoyment
and knowledge.
Web Site Address: http://www.internet-tips.net
Weekly newsletter: http://www.internet-tips.net/joinlist.htm
Claudia Arevalo-Lowe is the webmistress of Internet
Tips And Secrets and Surviving Asthma. Visit her site
at http://survivingasthma.com
Back
to Web Development Articles 1
