Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to sign my ActiveX? 1

Status
Not open for further replies.

d00ape

Programmer
Apr 2, 2003
171
SE
I’m in need to know what signing a ActiveX realy means and how to make it possible. Have searched MSDN and read some stuff, but am in need for a good article or something to fulfill my understanding.

All notices are welcomed!!
 
I just learned how to do this. Signing an ActiveX control means attaching a digital signature to the file containing the control code, so that when someone downloads it they can verify it really came from you and not some malicious third party.

A digital signature is basically an encrypted fingerprint of the code file, made so that anyone with a public key you provide can decrypt it and verify its validity. The encryption virtually guarantees the only person who can generate a valid signature/fingerprint is you, since you alone hold the private key that is needed to do the encryption.

You can either sign the ActiveX control file itself (DLL or OCX file) or package the control file with other files you might need, into a CAB file, and sign that CAB file.

To sign an ActiveX control you need a digital certificate. You can generate your own for test purposes using the "makecert" program (I think it comes with Visual Studio, or you can download it from Microsoft). An official certificate is something you purchase from Verisign or some other authority. They make you go through a process to verify your identity. The official certificate is better because it has the added credentials of Verisign or other big name company whose digital certificates come already installed on most people's computers.

I found this MSDN page helpful when looking at "makecert" and the other tools used to sign ActiveX controls:

[URL unfurl="true"]http://msdn.microsoft.com/workshop/security/authcode/signing.asp[/url]
 
Dear teriviret ,
I am very new in this area. I would like to know whether does using "makecert" means that I can skip activeX security pop up dialog box? I developed an .ocx file that is placed on the server's side. Whenever a Flash button is clicked, the VBScript will call the .ocx to perform record/playback of user's speech. The ocx later save the .wav file onto user's computer. There is an ActiveX dialog box that always appear. How can I skip these dialog boxes without using digital certificates? Can your suggestion using "makecert" eliminate those dialog box? Hope to hear from you soon as I am at total lost now.

Thanks in advance,
Janice
 
Signing a control with a digital signature and giving users your certificate just allows them to verify that the control they download really did come from you, and wasn't tampered with by someone else. They still would get the dialog box asking them if they want to trust your content, at least the first time if they have their web browser settings at the defaults.

You could ask your users to install your certificate first, put it in the trusted category, and then set their web browsers to always trust content with a valid signature from you. This would get rid of the security pop-ups, but only because the user specifically instructed the computer to allow it.

You could also ask your users to turn off the security settings. This is a bad idea though because it leaves the door wide open for malicious code to get in if they browse to the wrong web site.

I suggest you leave the security pop-ups in there. Think of it as piece of mind for your users. They are reassured that when they download the code it really did come from you and not some evil hacker impersonating you or interfering with their internet connection in order to break into their computer.
 
Hi teriveret,
Thanks for your information. How about I store the ocx on the client's computer during the 1st time accessing the site, using VBscript? After that, whenever the user clicks on the site, it will refer to the ocx on the computer. Will this eliminate the pop ups? I understand that at certain point of time, having the pop ups will reassure the user's security matters, but if in one page the user finds more than 5 buttons that cause these pop ups, I am afraid they will get frustrated and kinda of irritated by the pop ups. That's the reason why I am trying to eliminate the pop ups.

Thanks in advance,
janice
 
If you package everything together in one CAB file, your users should only get prompted once. When they click OK, they will download all your ocx files together, right? Then they should not get prompted again unless you update one of your ocx files or they need to download something else.
 
Hi teriviret,
I am getting abit confused here. Can you explain again? I am fairly new and quite 'dumb' in these matters. Sorry. ;)

Thanks in advance,
Janice

 
Hi teriviret,
To you mean by packing everything together in one CAB file, the security pop up will only prompt once throughout the user's usage of the sites, no matter which page of my site he goes, without getting the digital certificate? The button that calls the ocx occurs in most of the pages of my site. It might irritates the user if the security pop up appears when they browse and click on the button located on any pages of my website

Thanks in advance,
Janice
 
Exactly -- if you package all your ocx files together in the same CAB file, and make sure the web pages all refer to that same CAB file, then it should only prompt to download and install it the first time. After that, the user's browser should detect that it is already downloaded, and should not prompt them again.
 
would not having a cert adversely affect the testing of the .cab and code on the net ?


-Brian
 
I think people might just be a little more reluctant to trust it, that's all.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top