undefined | Better HN

0 pointsviraptor12y ago0 comments

But what exactly is needed? What is stopping someone from writing a FF extension that will capture all activex object tags and replace them with something doing the same operations in FF's chrome?

Is the auth protocol completely unknown? Is the activex control obfuscated more than is possible to reverse-engineer?

0 comments

7 comments · 2 top-level

itsameta412y ago· 3 in thread

ActiveX is designed to hook directly into the Windows OS. That's what makes it so dangerous, but useful in this case, since you can add a cert to the trusted store.

Firefox is designed to be secure and sand-boxed, especially its plugin architecture.

jlgreco12y ago

You don't need to replicate all of the functionality that activex has. You just need to emulate the behaviour from the banks point of view of whatever their particular activex does. Maybe the ActiveX rewrites a bunch of files with admin privileges "for security", and then negotiates some sort of key exchange... in that case just write JS that says it did the shit that requires admin privileges, then negotiates the key exchange).

So the question is, if you are willing to ignore their activex and run your own custom JS instead, could these websites be made to work?

yongjik12y ago

A major online bookstore (www.aladdin.co.kr) actually tried that this year. They teamed up with another startup company (Paygate) and allowed users to use credit card with no plugins, on any browser. The few people who tried that loved it.

And guess what happened?

Major credit card companies pulled out one by one, because they "cannot ensure" that a page without Active-X is secure enough. Of course nobody's pulling any strings, no government officials are receiving unknown gifts, and nothing can be ever proved. So, there. You work for months to provide users with modern browsing experience, and those banking powers-that-be just pull the plug.

The whole system is corrupt beyond imagination.

Citation (sorry, in Korean): http://www.hankyung.com/news/app/newsview.php?aid=2013091203... http://www.leejeonghwan.com/media/archives/002331.html

2 more replies

eevee12y ago

This is completely false. Firefox extensions have access to everything the browser does and can contain arbitrary native code.

There's a reason Mozilla's addon repository has a review process.

What makes addons better than ActiveX controls is that they're understood to extend the browser for the user's benefit, not merely make a crappy website work. Fewer people would buy that a bank website needs to install a Firefox extension before you can log in.

flomo12y ago· 2 in thread

Such a thing was created many years ago:

http://www.adamlock.com/mozilla/plugin.htm

One could guess that it was never included by default because Mozilla did not want to encourage the use of ActiveX controls.

viraptorOP12y ago

Oh $BABY_DEITY no! That's not what I was suggesting! Activex in FF? Scared the hell out of me...

What I meant is either reverse-engineering the algorithm and reimplementing it in FF chrome in clean JS like jlgreco mentioned below, or including just the kernel of the important logic, the way ndiswrapper uses windows driver for communicating to the network cards without actually implementing whole windows kernel.

flomo12y ago

The security implications of requiring users to install Firefox add-ons are not any better than requiring them to install ActiveX plug-ins. (Other than pure vendor politics.) You still have the artificial requirement of some Win32 blob, which is the real issue.

1 more reply

j / k navigate · click thread line to collapse