[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-usability
Subject: Security and usability
From: Roland Seuhs <roland.seuhs () hasos ! com>
Date: 2003-08-18 10:41:34
[Download RAW message or body]
Hi!
I've followed the discussion about KDE3 defaults, especially the part about cookies and how evil they are \
supposed to be. To get it straight, I'm a web programmer and I use cookies all the time and I'm more and \
more angry at the cookie-hysteria.
Has there been a single recorded event in which a cookie has caused actual harm to some user? I don't \
think so.
The problem is that the paradigm that "security and usability is a tradeoff" is repeated so often that \
it's seen as some universal law while in reality it's basically nonsense.
Let me explain:
In my opinion, security can only be achieved WITH usability. Any measures to make something more secure \
by reducing usability will essentially have the opposite effect.
So what will happen if cookies in Konq will be disabled or made single-session by default as some people \
suggested? Konqueror will become essentially useless for many sites - some users will be pissed and turn \
on cookies, the rest will be pissed and use another browser: Security gain = zero.
The current situation in which the user is bothered with a popup when submitting a form or getting a \
cookie isn't much better. There are 2 possibilities:
- Either a user understands the popup:
He'l say "what idiotic message, if I submit a form I know that data is transmitted, no need to tell me" \
and ignore it
- Or a user doesn't understand the popup:
He'll ask somebody who will tell him to "press yes and ignore it", then just press yes and ignore this \
and any subsequent popups.
Essentially, all the useless popups (not only in KDE, but in many other DEs and programs) are training \
the users to press yes and ignore popups.
Anybody who thinks that these popups are increasing security is just wrong: First he is wrong because \
those popups are ignored, secondly he is wrong because cookies and forms are no security problems. I \
repeat it: If you say "But it's just about educating the users that the connection is not encrypted" - \
You are wrong: Users will ignore the popup, many won't even read it. It simply doesn't matter. If \
pressing "OK" is the only way to use the website, users will press "OK", no matter what you write into \
that annoying popup.
The reverse is true: Because people are trained to ignore popups, the inportant ones get unnoticed and \
will also be ignored.
Another example is the file-upload popup which can't even be turned off.
Now the user goes to a website and uploads a file, he intentionally browses for a file to transfer and \
chooses the file himself. The chances that he doesn't know what he is doing and will transfer /etc/passwd \
by accident are pretty slim. And the hopes for a potential attacker to set up a website for accidentally \
uploaded password files are even slimmer. The whole dialog is useless and nonsense. It is just repeating \
what the user already did (trying to upload a file) and yet another useless "are you sure" dialog.
Security can only be achieved *with* usability. Which means *less* popups and *less* hassles.
A perfect example would be scp ("fish" in Konqueror)
The user/password dialog should contain a checkbox that reads "always allow this computer access to \
user@machine (store public key on remote machine)" which would automatically append the public key to \
~/.ssh/authorized_keys2 on the remote machine.
Guess what would happen?
- People would stop using ftp and use scp instead. Encrypted passwords -> more security
- People would stop putting user:password@machine ftp/fish links into bookmarks -> more security
Or even better, when Konqueror is used in ftp-mode with a username and password, Konqueror could check if \
a ssh/scp server is also listening and if yes (and only if yes) ask the user wether to try scp instead of \
ftp. (This is an occasion in which a popup would actually make sense: It's rare enough that it doesn't \
cause a flood and it actually offers REAL security gains) But don't do it on anonymous ftp-connections \
(There are no passwords at risk and the user is unlikely to have a ssh account anyway) and only ask once \
for a host.
However all this works only if it's usable and automatic.
Sniffing passwords from ftp and php3 accounts are *REAL* security issues that cause *REAL* problems, \
unlike the hype around cookies and html-forms which are basically just hysteria with not a single \
documented case of harm caused.
Dumping the cookie, html-form and file-upload popups and introducing rarely shown "use scp instead of \
ftp" popups would increase security *BECAUSE* it would reduce hassles and popups and concentrate the \
user's attention on the things that actually matter.
Roland
--
Hardware: The parts of a computer system that can be kicked
_______________________________________________
kde-usability mailing list
kde-usability@mail.kde.org
http://mail.kde.org/mailman/listinfo/kde-usability
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic