Java,Javascript & Activex ?

Discussion in 'other software & services' started by trainride, May 21, 2004.

Thread Status:
Not open for further replies.
  1. trainride

    trainride Guest

    Hi
    Can someone explain to this newbie What ActiveX, Java, Javascript, And VBscript is? And what will happen if we turn them completely off in our browsers? Can we still surf the internet ok or will there be problems? Thanks.
     
  2. Riverwind

    Riverwind Guest

    Javascript - JavaScript is an interpreted, object-based scripting language. JavaScript code is embedded directly onto HTML pages and is interpreted by the browser (Netscape Navigator 2.0 or greater, Internet Explorer 3.0 or greater).

    "JavaScript is used to create client interactive pages, creating forms, responding to mouse clicks, form input and page navigation. It supports the creation of code that handles text boxes, buttons and other form elements. For example, you can write a JavaScript function to verify that users enter valid information into a form requesting a telephone number or zip code. An HTML page with embedded JavaScript can interpret the entered text and alert the user with a message dialog if the input is invalid. Or you can use JavaScript to perform an action (such as play an audio file, execute an applet, or communicate with a plug-in) in response to the user opening or exiting a page."

    My comment: This is what Internet explorer calls "Active scripting" (together with VBScript) Many Many sites use javascript (JS). Some for minor stuff which you won't miss (changing your statusbar, popups, looping animations) others can be irriating if you turn off JS. Eg javascript links that won't open when you click on them.

    Security wise, JS can causing irriating effects, such as endless popups, looping message dialog boxes, and on top of that of many IE exploits available, almost all of them need to use JS. Also JS tricks can also cause minor privacy concerns, such as detecting your browser, working on cookies.

    Recommendation: For functionality ENABLE IT in the internet zone. I would set to PROMPT however for the option "Allow paste operations via script", since with the right JS script, a website can steal info you cut and paste on your clipboard. If you are paranoid, disable it definitely, and enable it only on trusted sites. A middle path would be to use a local http proxy filter like proxomitron to filter out some of the more irriating JS effects.

    VBSCRIPT

    "Microsoft created a cut down version of their popular programming language Visual Basic to implement a scripting language that would extend HTML and add dynamic content to WWW pages. Visual Basic Script was created by Microsoft. Microsoft Internet Explorer supports it.

    Similar to JavaScript, VBScript is interpreted by the browser and the pages modified appropriately. VBScript code is embedded in HTML documents the same way as Javascript does, and provides very similar functionality. It is not supported by Netscape Navigator or browsers other than Microsoft's Internet Explorer."

    MY COMMENT: Very few sites use this. So it should be safe to turn it off. Unfortunately, in Internet Explorer , the option for this is under ACTIVE SCRIPTING , so you can't turn it off with turning off the very much more useful JAvascript.

    Recommendation: See Javascript.

    JAVA

    "Java was invented by Sun, makers of UNIX workstations. The idea behind Java is to create a portable programming language that would work on a wide variety of different hardware platforms. Remember that a Java application is a standalone Java program-- a program written in the Java language that runs independently of any browser. The code is downloaded to the client workstation, then compiled and run.

    A Java application running in a browser window is called an Applet. The Microsoft implementation of Java for Internet Explorer extends it to allow interaction between active x components and visual basic script, meaning that VB script code can interact with the Java Applet in the browser, thus controlling its behavior."

    Comments: Java is often compared to Activex because both are used to run full blown programs which can basically do anything. http://www.cs.princeton.edu/sip/java-vs-activex.htmlfor example, considers the tradeoffs. In essence, Java applets use "Sandboxes" which give restricted access to what such programs can do while activex, relys on trusting the activex control because it is signed.

    There are also currently 2 types of Java, SUN JAVA and the microsoft version.
    Of the two , currently, SUN JAVA is considered more secure. Depending on which Operating system you have, you may have SUN JAVA (Windows XP SP 1) or MS JAVA (probably anything else).

    Recommendation : While in the past JAVA exploits seem to occur almost weekly, these days, they are rare. So enable it. Still even if JAVA applets are essential secure, they can still pose some problems for privacy (similar to JS). So it's up to you. Personally my gut feel is that currently JAVA is much safer than Javascript. Unfortunately, for most sites you can probably get away with turning off JAVA while this cannot be said for Javascript.

    ACTIVEX

    "This technology, created by Microsoft, allows the embedding of Active X objects (actually OLE) into HTML pages. Using VBScript, code can manipulate the properties of the Active X objects directly. This allows interaction between the HTML page and the object, unlike Java Applets where the user interacts with the Applet and not the document."

    COMMENT : Activex is probably most dangerous of all technologies listed above. Unlike Java, there are no safeguards such as sandboxes, instead it relies on signatures. The problem with this is that anyone can sign anything, but it is up to you the user to decide who to trust.

    In the past, Activex controls has being the technology of choice used by
    spywaremakers to infect computers. Various tricks including, spamming the user with countless activex permission boxes, tricking the user to accept install, using unpatch exploits to autoinstall activex controls etc.

    RECOMMENDATION : Definitely use spywareblaster which blocks known bad activex control. I find that in general you can probably get away with disabling activex. Still some sites really need it for legimate purposes (online virus scanners, windows update!), and those are usually signed. So I recommend disable unsigned activex, and set signed activex to prompt. Since whether an activex control is "marked safe for scripting" or not is set by the activex control programmer, I don't trust those any more either, so set those to Prompt.

    Quotes taken from

    http://www.iitd.ac.in/cgi-bin/nph-p/http/10.116.2.57/course/ma200/whatis.htm
     
  3. trainride

    trainride Guest

    Wow! Thanks for the very indepth explanation Riverwind.
     
Thread Status:
Not open for further replies.