Security issue of np-activex Re: 关于网银的安全性

19 views
Skip to first unread message

Qian Hong

unread,
Nov 23, 2011, 7:34:42 AM11/23/11
to non-ie-online-banking
Hi all,

Ruiyi Chen suggested to use English in this mailing list, so I create
a new thread in English for discussing security issues, forwarding
Johnny Ding's comment about security. Thanks Johnny!

2011/11/23 Johnny Ding <j...@google.com>:
One more thing , the security issue will be a big Challenge for
ActiveX bridge in non-IE browsers because currently there is no non-IE
browser to check the security property of NPAPI plugin (like digital
certificate) as I know, if the plugin is compromised, the user's
confidential information will be leak.

By the way, you may want to check the Pepper API for the new
generation plugin architecture.

2011/11/17 Qian Hong <frac...@gmail.com>:
> 关于安全性的问题,希望可以向各位请教。

--
Regards,
Qian Hong

-
Sent from Ubuntu
http://www.ubuntu.com/

Qian Hong

unread,
Nov 23, 2011, 8:16:14 AM11/23/11
to non-ie-online-banking
2011/11/23 Johnny Ding <j...@google.com>:
> One more thing , the security issue will be a big Challenge for
> ActiveX bridge in non-IE browsers because currently there is no non-IE
> browser to check the security  property of NPAPI plugin (like digital
> certificate) as I know, if the plugin is compromised, the user's
> confidential information will be leak.
>

Currently np-activex is available in Chrome Web Store[1], any plugins
uploaded to Chrome Web Store must be packaged to .CRX package [2]
first. According to [2], the package itself is signed, can we trust
the plugin in this case?

> By the way, you may want to check the Pepper API for the new
> generation plugin architecture.

Good idea. Pepper API plugin is sandboxed, so it will be much more
safe than npapi plugin.
However, we may have other problems here. NPAPI plugin is platform
dependent but Pepper API is not[3]. We can conveniently use NPAPI
plugin to build a bridge for ActiveX, which is another platform
dependent plugin on Win32 , but how can we build a bridge for ActiveX
using a platform independent api?

Thanks!

[1]https://chrome.google.com/webstore/detail/lgllffgicojgllpmdbemgglaponefajn
[2]http://code.google.com/chrome/extensions/crx.html
[3]http://www.chromium.org/nativeclient/getting-started/getting-started-background-and-basics

Qian Hong

unread,
Nov 23, 2011, 8:36:51 AM11/23/11
to non-ie-online-banking
On Wed, Nov 23, 2011 at 9:16 PM, Qian Hong <frac...@gmail.com> wrote:
> Good idea. Pepper API plugin is sandboxed, so it will be much more
> safe than npapi plugin.
> However, we may have other problems here. NPAPI plugin is  platform
> dependent but Pepper API is not[3]. We can conveniently use NPAPI
> plugin to build a bridge for ActiveX, which is another platform
> dependent plugin on Win32 , but how can we build a bridge for ActiveX
> using a platform independent api?

It seems someone had tried to port Wine to Native Client but no luck yet.
http://wiki.winehq.org/NaCl

If Wine can be ported to Native Client, then in theory all platforms
support Chrome will support ActiveX in a safe way.

Reply all
Reply to author
Forward
0 new messages