[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-usability
Subject: Re: Security and usability
From: Michael Pye <mdpye () ntlworld ! com>
Date: 2003-08-19 10:04:59
[Download RAW message or body]
On Monday 18 August 2003 10:18 pm, Roland Seuhs wrote:
> There have also been cases of writing root-passwords on post-it notes and
> putting them on a screen in a busy office.
>
> Yet I don't see you wanting to ban post-it notes.
Actually, post it note with password on screen is a disiplinery in a lot of
places for that very reason...
> If a webmaster doesn't care about security (and storing username/passwords
> in cookies falls into that category) that can't be used as an argument to
> diss cookies as a technology.
If a webmaster is relying on cookies (a pretty poor technology which relies on
the permission of the user to store data on a best effort basis) in order for
their site to work, then I shall thoroughly diss the webmaster.
> I recently was looking over the shoulder of a medium-computer literate user
> and he still clicked away the warning everytime he filled out a form. For
> at least 4 years now. I couldn't believe it.
Well, if he was clicking away a dialogue which had a "don't show this next
time" check box for 4 years either he was quite dim, it didn't bother him OR
(ye gods, it might be true) he wanted to know whenever his browser has
submitting information.
> The same goes for the file-upload warning which currently can't even be
> turned off.
Do you really believe that pop-up is there for when the user deliberately
uploads a file? It is there for when a malicious page attemps to upload a
file without the user's knowledge. After all, I don't think it's so difficult
to do. Put the name of a file in a pre-filled form, and use javascript to
submit it onLoad()...
Uploading a file is not a regular activity on the web, it is a pull based
medium. As such it is perfectly acceptable to have warnings assigned to
unusual activities...
> Everything that can be stored in a cookie can also be stored on the
> webserver.
This is true, BUT you cannot be uniquely identified on your return by items
stored on the webserver. This is the problem, profiles uniquely identified
and built up over the course of months across many different sites, not just
a single session on a single site.
> But OK, let's keep cookies the way they are but at least let's get rid of
Good.
> - The dialog that appears when a user uploads a file
No no no. See above.
> I wouldn't be complaining if there were mass-infections or viruses related
> to cookies.
But we are complaining because there are mass breaches of privacy. We already
know you do not give a damn about this, but you appear to be the only one.
> My point, exactly.
The suggestion of disabling any reasonable functionality was brief and quickly
put down. Aside from that the things you appear to be refering to as "lock
down" are merely warnings about unusual behaviour. :/
MP
_______________________________________________
kde-usability mailing list
kde-usability@mail.kde.org
http://mail.kde.org/mailman/listinfo/kde-usability
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic