In the trust model we trust?
Internet security critics blast Microsoft's cherished "trust model" for software downloads, but alternatives--such as the "sandbox" that shields Java programs--can seriously limit performance.
Increasingly on the Internet, users are being asked to trust Web sites and software that could, in theory, cause serious damage to their computers, like wiping out a hard disk or snatching private data. Chief among the proponents of a "trust model" for Internet security is Microsoft (MSFT), which argues that users must trust applications if they want them to do anything useful on their computers.
Security experts are critical of the risks of technologies that rely solely on the trust security model, such as Microsoft's ActiveX. But there's also growing recognition that alternatives to the trust model--such as the "sandbox" that shields Java programs--can seriously limit the functions that such programs can perform and that a combination of the two models may be the safest road for companies to follow.
Even Sun Microsystems, a vocal critic of Microsoft's stance on security, has acknowledged that its sandbox can limit the capabilities of Java applets. The company has already begun to modify its security model to allow applets to venture outside the sandbox for specific functions such as reading data from a hard disk.
"There are limits to the functionality you can have in the sandbox," said Stephen Cobb, president of Cobb Associates, a Titusville, Florida, security consultancy.
Still, Microsoft maintains that the trust model is the only feasible solution for downloading software components, which are increasingly being embedded in Web pages, from the Net. The company has long compared downloading software components off the Net to purchasing software from a retail store. Microsoft permits software publishers to stamp their code with digital certificates which, like labels on software boxes, indicate programs' reputable origins.
But the analogy to physical stores breaks down on the Net, security experts say. "The difference is on the Internet we expect software to be shipped around much more frequently," said Edward Felten, assistant professor of computer science at Princeton University. "People want to automate the downloading of software. You go to Egghead relatively rarely. The question is whether people will exhibit the same level of care as they do when purchasing software in the store."
Indeed, some companies prefer to use technologies, such as Java, that provide end users with a protective shield against harmful code.
"If you have to assume every program you want to download is stamped with a digital signature, you are sort of defeating the purpose of this whole model of computing," said John Gawkowski, vice president of marketing at the Coris division of printing giant R.R. Donnelley & Sons Company.
Today, Microsoft introduced a series of new security technologies to be included in its Internet Explorer 4.0 browser that may ease the burden of trust on end users. One feature allows IS managers to create "trusted" and "untrusted" Internet "zones" or Web sites. Although the feature does not alter the underlying security architecture of ActiveX, it does give IS managers in corporations the ability to limit potential security risks by establishing ad hoc neighborhoods on the Net where end users may safely roam.
But, for all their risks, technologies like ActiveX tend to be more flexible than tightly sandboxed technologies. In recognition of that, Sun has introduced several security changes in its Java Development Kit 1.1 that permit applets to go outside the sandbox. Version 1.2 of the JDK, due out this summer, will include a number of related security modifications.
Like ActiveX controls, such applets must be stamped with a digital certificate that could allow end users to track down a software publisher should a program damage their computer.
But Sun says that its Java security model is different from ActiveX since it gives developers and IS administrators the option of keeping programs inside a sandbox.
"Digital signature can by no means be the core of a security model," said Sun spokeswoman Lisa Poulson. "We don't require end users to depend only on digital signatures. We are assuming people that use them do so in an informed manner. They have a choice."
Felten said that Sun's security model may provide a good balance between trust and the sandbox. "Even if you give more privileges to trusted code, you want to be able to audit what that code does," he said.
Some corporate users say that trust is going to be a vital part of their security policies for intranets and extranets, where there is less risk of hacker intrusion than on the public Internet.
"For a percentage of applications, trust will be important," said Scott Richardson, Internet and intranet manager for truck maker Freightliner. "You have to be able to trust your business partners."