Am Montag, 18. August 2003 14:39 schrieb Lauri Watts: > > Anybody who thinks that these popups are increasing security is just > > wrong: First he is wrong because those popups are ignored, secondly he is > > wrong because cookies and forms are no security problems. I repeat it: If > > you say "But it's just about educating the users that the connection is > > not encrypted" - You are wrong: Users will ignore the popup, many won't > > even read it. It simply doesn't matter. If pressing "OK" is the only way > > to use the website, users will press "OK", no matter what you write into > > that annoying popup. > > No, they are increasing *privacy* though. Sorry, but I don't see how an ignored popup is improving anything. > I have a right to know what, and > when, information is being requested by a website. Users who don't care, > turn it off (or never turn it on, this is not the default setting after > all). First, cookie-popups are turned on by default on every default KDE-install I know. Second, I don't advocate removing that feature, I just say it should be off by default. (Maybe I wasn't clear on that) > > Sniffing passwords from ftp and php3 accounts are *REAL* security issues > > that cause *REAL* problems, unlike the hype around cookies and html-forms > > which are basically just hysteria with not a single documented case of > > harm caused. > > Wrong. Trackware or spyware cookies are exceedingly common. > http://www.safersite.com/PestInfo/db/spyware_cookie.asp lists a couple > hundred of them. Their definition, which I find quite fair, is: > 'Any cookie that is shared among two or more unrelated sites for the > purpose of gathering and/or sharing (private) user information. Definitions > of "private" may differ. Some consider any code "private" if it uniquely > identifies a user, even if it is not their name or email address.' > > You're right many people don't care however there's a whole heck of a lot > of people who do. This same site is home to the PestPatrol software, and > their stats say they received 511,017 pest reports from PestPatrol users > for the past month. That's a whole heck of a lot of people who care very > much, and PestPatrol isn't even the most popular software of it's type, but > Ad-Aware don't seem to post their stats on their site. As a compromise, maybe we could agree only to ask the user via a popup if the cookie is from another server and don't ask for cookies from the same server? (Of course I talk about the defaults here. Any user should be able to turn anything on/off according to his needs) > > Dumping the cookie, html-form and file-upload popups and introducing > > rarely shown "use scp instead of ftp" popups would increase security > > *BECAUSE* it would reduce hassles and popups and concentrate the user's > > attention on the things that actually matter. > > An exceedingly rarely triggered case would see a small increase in security > - I can't even remember the last time I uploaded something to an ftp site > via ftp. You can sniff passwords everytime you connect to a ftp-server, it doesn't matter wether you up- or download. > I would *never* see this dialog. I think it's a cute idea, and > might be worth adding as well, but it's not a case of 'well we add this, we > have to now remove the highly regarded and widely used privacy features on > cookies. Yes, of course these two are unrelated, it was just an example of what I would think of a good popup. > I can also see us getting yelled at for port probing home windows > admin's ftp servers on port 22 and tripping their zone alarms. Since this all should not happen on anonymous logins (where security is no issue, obviously), I don't see it happening. Roland P.S.: Everybody is only talking about cookies. What about the html-form and http-upload warnings, is everybody agreeing that those should be turned OFF by default? -- The Bible tells us to love our neighbors and also to love our enemies; probably because they are generally the same people. -- Mark Twain _______________________________________________ kde-usability mailing list kde-usability@mail.kde.org http://mail.kde.org/mailman/listinfo/kde-usability