Security Approach in ActiveX/Java Uploader

This topic contains information about security approach used during ActiveX/Java Uploader development.

Security at Center of Attention

During the development of ActiveX/Java Uploader Aurigma, Inc. took care of avoiding any potential security problems. Since ActiveX/Java Uploader is a software installed from the web, neglecting these problems could lead to security holes. For this reason any feature that could potentially cause security risks was rejected.

If any security holes in the ActiveX/Java Uploader are found, all the customers are immediately informed about possible issues and the problem is fixed in a timely fashion.

The customers who would like to make sure that the code safety is ok can purchase the ActiveX/Java Uploader source code. In addition to security audit, these customers can carry out customization. Please, contact Aurigma sales department if you are interested.

Sandbox

The main principle of ActiveX/Java Uploader architecture is a sandbox. It means that ActiveX/Java Uploader API does not provide any access to the file system or other resources. Unlike some competing uploading components, ActiveX/Java Uploader does not have such unsafe features as the ability to get a list of files in a given folder or add files to the upload list via client scripts, etc. These features would allow malicious persons to steal files from the computers where ActiveX/Java Uploader is installed.

ActiveX/Java Uploader requires the user to carry out all potentially dangerous operations through the user interface. None of such operations can be done without user's knowledge.

Access to Files in Upload List

ActiveX/Java Uploader provides an access to the list of files which are already chosen by the user for the upload. However, it does not compromise security because the user adds these files to the upload list manually.

By the way, similar functionality is available in Internet Explorer: you can get a name of the file opened in the standard <input type="file"> element.

ActiveX vs. Java

Some people are worried about low safety of the ActiveX technology against high safety of Java applets. Sometimes they ask if the Java part of ActiveX/Java Uploader is more secure than the ActiveX one.

The answer is NO. To be able to work with files on a local machine, the Java applet has to go out from Java sandbox (in other words, make the security level equal to the one in ActiveX). This way using Java applets for uploading would not bring any security benefits.