[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-usability
Subject:    Security and usability
From:       Roland Seuhs <roland.seuhs () hasos ! com>
Date:       2003-08-18 10:41:34
[Download RAW message or body]

Hi!

I've followed the discussion about KDE3 defaults, especially the part about \
cookies and how evil they are supposed to be. To get it straight, I'm a web \
programmer and I use cookies all the time and I'm more and more angry at \
the cookie-hysteria.

Has there been a single recorded event in which a cookie has caused actual \
harm to some user? I don't think so.

The problem is that the paradigm that "security and usability is a \
tradeoff" is repeated so often that it's seen as some universal law while \
in reality it's basically nonsense.

Let me explain:

In my opinion, security can only be achieved WITH usability. Any measures \
to make something more secure by reducing usability will essentially have \
the opposite effect.

So what will happen if cookies in Konq will be disabled or made \
single-session by default as some people suggested? Konqueror will become \
essentially useless for many sites - some users will be pissed and turn on \
cookies, the rest will be pissed and use another browser: Security gain = \
zero.

The current situation in which the user is bothered with a popup when \
submitting a form or getting a cookie isn't much better. There are 2 \
possibilities:

- Either a user understands the popup:
	He'l say "what idiotic message, if I submit a form I know that data is \
transmitted, no need to tell me" and ignore it

- Or a user doesn't understand the popup:
	He'll ask somebody who will tell him to "press yes and ignore it", then \
just press yes and ignore this and any subsequent popups.

Essentially, all the useless popups (not only in KDE, but in many other DEs \
and programs) are training the users to press yes and ignore popups.

Anybody who thinks that these popups are increasing security is just wrong: \
First he is wrong because those popups are ignored, secondly he is wrong \
because cookies and forms are no security problems. I repeat it: If you say \
"But it's just about educating the users that the connection is not \
encrypted" - You are wrong: Users will ignore the popup, many won't even \
read it. It simply doesn't matter. If pressing "OK" is the only way to use \
the website, users will press "OK", no matter what you write into that \
annoying popup.

The reverse is true: Because people are trained to ignore popups, the \
inportant ones get unnoticed and will also be ignored.

Another example is the file-upload popup which can't even be turned off.

Now the user goes to a website and uploads a file, he intentionally browses \
for a file to transfer and chooses the file himself. The chances that he \
doesn't know what he is doing and will transfer /etc/passwd by accident are \
pretty slim. And the hopes for a potential attacker to set up a website for \
accidentally uploaded password files are even slimmer. The whole dialog is \
useless and nonsense. It is just repeating what the user already did \
(trying to upload a file) and yet another useless "are you sure" dialog.

Security can only be achieved *with* usability. Which means *less* popups \
and *less* hassles.

A perfect example would be scp ("fish" in Konqueror)

The user/password dialog should contain a checkbox that reads "always allow \
this computer access to user@machine (store public key on remote machine)" \
which would automatically append the public key to ~/.ssh/authorized_keys2 \
on the remote machine.

Guess what would happen?

- People would stop using ftp and use scp instead. Encrypted passwords -> \
                more security
- People would stop putting user:password@machine ftp/fish links into \
bookmarks -> more security

Or even better, when Konqueror is used in ftp-mode with a username and \
password, Konqueror could check if a ssh/scp server is also listening and \
if yes (and only if yes) ask the user wether to try scp instead of ftp. \
(This is an occasion in which a popup would actually make sense: It's rare \
enough that it doesn't cause a flood and it actually offers REAL security \
gains) But don't do it on anonymous ftp-connections (There are no passwords \
at risk and the user is unlikely to have a ssh account anyway) and only ask \
once for a host.

However all this works only if it's usable and automatic. 

Sniffing passwords from ftp and php3 accounts are *REAL* security issues \
that cause *REAL* problems, unlike the hype around cookies and html-forms \
which are basically just hysteria with not a single documented case of harm \
caused.

Dumping the cookie, html-form and file-upload popups and introducing rarely \
shown "use scp instead of ftp" popups would increase security *BECAUSE* it \
would reduce hassles and popups and concentrate the user's attention on the \
things that actually matter.

Roland

-- 
Hardware: The parts of a computer system that can be kicked

_______________________________________________
kde-usability mailing list
kde-usability@mail.kde.org
http://mail.kde.org/mailman/listinfo/kde-usability


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic