GregWeber
asked on
Active X Control Security Questions
I have been building my first web based application in vb.net.
It uses the standard HTML controls in addition to:
PeterBlums datepackage
the Infragistics Grid and Tabbed Folder control.
All has been going great but my largest client has a consultant that has recently raised a security issue regarding active X controls and that they are pose a security risk to the web site. That is all he said know specifics. While the application is extensive it is my first and I have 0 experience in the security area of web controls so I can respond with confidence. Am I really at risk, I really don't know.
To be honest after doing this for 20 years I feel pretty stupid right now. Can someone help me rebuff this, I really don't know how to respond. I have not focused on the security of the controls but rather the content and functional capability of the web site. It may be niave but things have been working and at some point I begin to trust that the tools I am using are built by people with far more experience and knowlege in those areas believe they have covered their butts and inturn mine. After all when I buy I hammer from Sears I am not concerned it will explode when I hit the first nail if you know what I mean.
Any help or guidence on this would be greatly appreciated.
thanks
It uses the standard HTML controls in addition to:
PeterBlums datepackage
the Infragistics Grid and Tabbed Folder control.
All has been going great but my largest client has a consultant that has recently raised a security issue regarding active X controls and that they are pose a security risk to the web site. That is all he said know specifics. While the application is extensive it is my first and I have 0 experience in the security area of web controls so I can respond with confidence. Am I really at risk, I really don't know.
To be honest after doing this for 20 years I feel pretty stupid right now. Can someone help me rebuff this, I really don't know how to respond. I have not focused on the security of the controls but rather the content and functional capability of the web site. It may be niave but things have been working and at some point I begin to trust that the tools I am using are built by people with far more experience and knowlege in those areas believe they have covered their butts and inturn mine. After all when I buy I hammer from Sears I am not concerned it will explode when I hit the first nail if you know what I mean.
Any help or guidence on this would be greatly appreciated.
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I appreciate the feed back thus far and hoping for more, i already no more then when i woke up this morning and it is always a good day when i learn something new
in a nutshell, if you wrote it and have tested it then they have nothing to worry about, if its on their LAN then their IE settings should allow it.
ASKER
so if it is reputable (ie PeterBlum, Infragistics) the same rules should apply
Not sure about their credentials. Verisign is a very respectable signing authority. THere are a few more worldwide known ones. Try googling around and see if you can find out something about their credentials.
Usually, you should be able to check the credentials stuffed in a control by looking at the property page of the certificate.
Usually, you should be able to check the credentials stuffed in a control by looking at the property page of the certificate.
You could make your client happier by getting the active x control signed and if you need to script if from within the HTML get it marked as 'safe for scripting'.
-P