Browser Security

What a hellacious week. First I got a summer flu. Then I sprained my ankle. And finally my bathroom turned into the Thing that ate Cleveland when raw sewage overflowed from the toilet and bathtub for three hours.

So in case you really missed these columns, I have a good excuse. It’s been a bad week.

In the news lately has been the release of Microsoft Internet Explorer 3.0 and Netscape Navigator 3.0. The arguments have been raging, and the venom has been flying. Here is a little smattering.

Internet Explorer’s security is based on a front door system. IE asks you whether a site is trusted and only downloads ActiveX controls from approved sites. Netscape automatically downloads applets, but restricts access to the users system with a sandbox analogy. Both systems have been scrutinized and smacked around collectively by the media.

Unfortunately there isn’t a good solution for this problem. Users want fully functional applications that provide rich and dynamic interaction without even a hint of danger. The problem is that the more functional you make the environment, the more likely abuse will occur. It’s a catch-22. I think that Netscape’s sandbox and Microsoft’s certificate systems are complementary and don’t have to compete. They are fairly complementary and can be used in tandem. Problem with that is the competition between Netscape and Microsoft prevents them from agreeing on standards or adopting each others “good ideas”.

Normally I am the first one to defend Microsoft because I’m a big suckup, but this time I think Microsoft is missing the boat. The Microsoft model assumes that you must label a site trusted before downloading controls from it. But this kills the whole self publishing model. Why should some billion dollar company get trusted status because of name recognition while my really cool and safe control isn’t seen because I’m nobody?

The web is the greatest distribution channel ever devised, giving millions of people, armed only with computers, the means to publish world wide. Microsoft’s security methodology gives large corporations an advantage that isn’t fair.

I hope they change this security model and embrace the sandbox method limiting access of the ActiveX control. Otherwise, I’m going to have to spend a lot of time getting people to trust me.

Whatya think?