[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-usability
Subject: Re: Security and usability
From: David Hugh-Jones <hughjonesd () yahoo ! co ! uk>
Date: 2003-08-18 10:54:49
[Download RAW message or body]
I agree very much with your general point about usability and security,
and I also do web programming and use cookies, but they _can_ be
dangerous: here's one result of a quick google. Nobody got harmed but
clearly there was the potential for serious harm.
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0079.html
dave
On Mon, 2003-08-18 at 11:41, Roland Seuhs wrote:
> Hi!
>
> I've followed the discussion about KDE3 defaults, especially the part about cookies \
> and how evil they are supposed to be. To get it straight, I'm a web programmer and \
> I use cookies all the time and I'm more and more angry at the cookie-hysteria.
> Has there been a single recorded event in which a cookie has caused actual harm to \
> some user? I don't think so.
> The problem is that the paradigm that "security and usability is a tradeoff" is \
> repeated so often that it's seen as some universal law while in reality it's \
> basically nonsense.
> Let me explain:
>
> In my opinion, security can only be achieved WITH usability. Any measures to make \
> something more secure by reducing usability will essentially have the opposite \
> effect.
> So what will happen if cookies in Konq will be disabled or made single-session by \
> default as some people suggested? Konqueror will become essentially useless for \
> many sites - some users will be pissed and turn on cookies, the rest will be pissed \
> and use another browser: Security gain = zero.
> The current situation in which the user is bothered with a popup when submitting a \
> form or getting a cookie isn't much better. There are 2 possibilities:
>
> - Either a user understands the popup:
> He'l say "what idiotic message, if I submit a form I know that data is \
> transmitted, no need to tell me" and ignore it
> - Or a user doesn't understand the popup:
> He'll ask somebody who will tell him to "press yes and ignore it", then just press \
> yes and ignore this and any subsequent popups.
> Essentially, all the useless popups (not only in KDE, but in many other DEs and \
> programs) are training the users to press yes and ignore popups.
> Anybody who thinks that these popups are increasing security is just wrong: First \
> he is wrong because those popups are ignored, secondly he is wrong because cookies \
> and forms are no security problems. I repeat it: If you say "But it's just about \
> educating the users that the connection is not encrypted" - You are wrong: Users \
> will ignore the popup, many won't even read it. It simply doesn't matter. If \
> pressing "OK" is the only way to use the website, users will press "OK", no matter \
> what you write into that annoying popup.
> The reverse is true: Because people are trained to ignore popups, the inportant \
> ones get unnoticed and will also be ignored.
> Another example is the file-upload popup which can't even be turned off.
>
> Now the user goes to a website and uploads a file, he intentionally browses for a \
> file to transfer and chooses the file himself. The chances that he doesn't know \
> what he is doing and will transfer /etc/passwd by accident are pretty slim. And the \
> hopes for a potential attacker to set up a website for accidentally uploaded \
> password files are even slimmer. The whole dialog is useless and nonsense. It is \
> just repeating what the user already did (trying to upload a file) and yet another \
> useless "are you sure" dialog.
> Security can only be achieved *with* usability. Which means *less* popups and \
> *less* hassles.
> A perfect example would be scp ("fish" in Konqueror)
>
> The user/password dialog should contain a checkbox that reads "always allow this \
> computer access to user@machine (store public key on remote machine)" which would \
> automatically append the public key to ~/.ssh/authorized_keys2 on the remote \
> machine.
> Guess what would happen?
>
> - People would stop using ftp and use scp instead. Encrypted passwords -> more \
> security
> - People would stop putting user:password@machine ftp/fish links into bookmarks -> \
> more security
> Or even better, when Konqueror is used in ftp-mode with a username and password, \
> Konqueror could check if a ssh/scp server is also listening and if yes (and only if \
> yes) ask the user wether to try scp instead of ftp. (This is an occasion in which a \
> popup would actually make sense: It's rare enough that it doesn't cause a flood and \
> it actually offers REAL security gains) But don't do it on anonymous \
> ftp-connections (There are no passwords at risk and the user is unlikely to have a \
> ssh account anyway) and only ask once for a host.
> However all this works only if it's usable and automatic.
>
> Sniffing passwords from ftp and php3 accounts are *REAL* security issues that cause \
> *REAL* problems, unlike the hype around cookies and html-forms which are basically \
> just hysteria with not a single documented case of harm caused.
> Dumping the cookie, html-form and file-upload popups and introducing rarely shown \
> "use scp instead of ftp" popups would increase security *BECAUSE* it would reduce \
> hassles and popups and concentrate the user's attention on the things that actually \
> matter.
> Roland
>
> --
> Hardware: The parts of a computer system that can be kicked
>
> _______________________________________________
> kde-usability mailing list
> kde-usability@mail.kde.org
> http://mail.kde.org/mailman/listinfo/kde-usability
_______________________________________________
kde-usability mailing list
kde-usability@mail.kde.org
http://mail.kde.org/mailman/listinfo/kde-usability
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic