From kde-usability Mon Aug 18 10:41:34 2003 From: Roland Seuhs Date: Mon, 18 Aug 2003 10:41:34 +0000 To: kde-usability Subject: Security and usability X-MARC-Message: https://marc.info/?l=kde-usability&m=106120293107898 Hi! I've followed the discussion about KDE3 defaults, especially the part about cookies and how evil they are supposed to be. To get it straight, I'm a web programmer and I use cookies all the time and I'm more and more angry at the cookie-hysteria. Has there been a single recorded event in which a cookie has caused actual harm to some user? I don't think so. The problem is that the paradigm that "security and usability is a tradeoff" is repeated so often that it's seen as some universal law while in reality it's basically nonsense. Let me explain: In my opinion, security can only be achieved WITH usability. Any measures to make something more secure by reducing usability will essentially have the opposite effect. So what will happen if cookies in Konq will be disabled or made single-session by default as some people suggested? Konqueror will become essentially useless for many sites - some users will be pissed and turn on cookies, the rest will be pissed and use another browser: Security gain = zero. The current situation in which the user is bothered with a popup when submitting a form or getting a cookie isn't much better. There are 2 possibilities: - Either a user understands the popup: He'l say "what idiotic message, if I submit a form I know that data is transmitted, no need to tell me" and ignore it - Or a user doesn't understand the popup: He'll ask somebody who will tell him to "press yes and ignore it", then just press yes and ignore this and any subsequent popups. Essentially, all the useless popups (not only in KDE, but in many other DEs and programs) are training the users to press yes and ignore popups. Anybody who thinks that these popups are increasing security is just wrong: First he is wrong because those popups are ignored, secondly he is wrong because cookies and forms are no security problems. I repeat it: If you say "But it's just about educating the users that the connection is not encrypted" - You are wrong: Users will ignore the popup, many won't even read it. It simply doesn't matter. If pressing "OK" is the only way to use the website, users will press "OK", no matter what you write into that annoying popup. The reverse is true: Because people are trained to ignore popups, the inportant ones get unnoticed and will also be ignored. Another example is the file-upload popup which can't even be turned off. Now the user goes to a website and uploads a file, he intentionally browses for a file to transfer and chooses the file himself. The chances that he doesn't know what he is doing and will transfer /etc/passwd by accident are pretty slim. And the hopes for a potential attacker to set up a website for accidentally uploaded password files are even slimmer. The whole dialog is useless and nonsense. It is just repeating what the user already did (trying to upload a file) and yet another useless "are you sure" dialog. Security can only be achieved *with* usability. Which means *less* popups and *less* hassles. A perfect example would be scp ("fish" in Konqueror) The user/password dialog should contain a checkbox that reads "always allow this computer access to user@machine (store public key on remote machine)" which would automatically append the public key to ~/.ssh/authorized_keys2 on the remote machine. Guess what would happen? - People would stop using ftp and use scp instead. Encrypted passwords -> more security - People would stop putting user:password@machine ftp/fish links into bookmarks -> more security Or even better, when Konqueror is used in ftp-mode with a username and password, Konqueror could check if a ssh/scp server is also listening and if yes (and only if yes) ask the user wether to try scp instead of ftp. (This is an occasion in which a popup would actually make sense: It's rare enough that it doesn't cause a flood and it actually offers REAL security gains) But don't do it on anonymous ftp-connections (There are no passwords at risk and the user is unlikely to have a ssh account anyway) and only ask once for a host. However all this works only if it's usable and automatic. Sniffing passwords from ftp and php3 accounts are *REAL* security issues that cause *REAL* problems, unlike the hype around cookies and html-forms which are basically just hysteria with not a single documented case of harm caused. Dumping the cookie, html-form and file-upload popups and introducing rarely shown "use scp instead of ftp" popups would increase security *BECAUSE* it would reduce hassles and popups and concentrate the user's attention on the things that actually matter. Roland -- Hardware: The parts of a computer system that can be kicked _______________________________________________ kde-usability mailing list kde-usability@mail.kde.org http://mail.kde.org/mailman/listinfo/kde-usability