Gmail security?

stormbind · May 28, 2005

I was tightening security in MSIE. Java & ActiveX are now disabled, because they are easy to exploit.

Then I went to Gmail and discovered the site won't work with ActiveX disabled!

I cannot think of a reason why Gmail should need ActiveX. I have not seen it do anything that would not work with JScript by itself.

But anyway, it leads me to wonder: What if someone sends a dodgy ActiveX script to my Gmail inbox? I have to have ActiveX enabled to use the site, so poof - exploit works!

This doesn't strike me as a very sound idea. Have I overlooked something or is Gmail a security hazard?

Note you can use plain-HTML mode but that is rubbish

Gogf · May 28, 2005

That's strange. Gmail works in Firefox, which doesn't support ActiveX :hmm:

.

Zelig · May 28, 2005

Gogf said:
That's strange. Gmail works in Firefox, which doesn't support ActiveX .

Same with recent versions of Opera...

Chairman Meow · May 28, 2005

Is there a way to change the UserAgent string in IE? Gmail might be detecting that you're using IE, assuming you have ActiveX enabled, then refusing to work when you don't have it enabled. If it's possible to change the User Agent string, you could see if changing that will affect whether Gmail demands ActiveX.

stormbind · May 28, 2005

Chairman Meow, you may well be right. Doesn't do much to help the masses though

There are differences between Microsoft JScript and Netscape JavaScript: MSIE might not work with the scripts Google have written for Mozilla-based browsers. Only one way to find out! Webwasher.com would be one way of testing.

stormbind · May 28, 2005

Gogf said:
That's strange. Gmail works in Firefox, which doesn't support ActiveX .

I did say, I don't think they do anything that explicitly requires ActiveX - but they check for it anyway :confused:

Padma · May 28, 2005

I don't have any ideas to help, but I have to agree with Chairman Meow, that Google is probably looking at the userAgent string. If it sees IE, it uses ActiveX.

Shadylookin · May 28, 2005

I believe there is a setting so you can decide to have it propmpt you and ask your permission to use activeX.

Paalikles · May 29, 2005

You can set up gmail to pop3, thus no need to use the browser to look at mail at all.
Of course, then you have all the outlook issues (or :eek:

outlook express)
But spamfilters, turning off html enabled messages and disabling javascript in emails, disabling message preview, and using Thunderbird ought to help.

Gmail settings -> POP account has a tutorial on how to set it up and what variables to use

Gmail security?

stormbind

Retenta personam!

Gogf

Indescribable

Zelig

Beep Boop

Chairman Meow

Class IV

stormbind

Retenta personam!

stormbind

Retenta personam!

Padma

the Absent Admin

Shadylookin

master debater

Paalikles

Emperor

Similar threads