[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kfm-devel
Subject:    Re: Fwd: KDE 2.2: security vs auto-completion in forms
From:       George Staikos <staikos () kde ! org>
Date:       2001-09-01 4:17:43
[Download RAW message or body]

On Monday 27 August 2001 17:08, Waldo Bastian wrote:

> sorry that I try to reach you this way - I'm not even a
> developer, just a user - well, but maybe this hint is of
> some use. How about this way to handle the situation:
>
> - Enable form completions as default
>
> - Keep this setting as long as no encrypted page is loaded
>
> - When an encrypted page is loaded, ask the user whether
>   form completion shall be disabled now and explain what
>   can happen (data is stored at unexpected places on disk).
>
> - The user can confirm or reject form completion disabling
>   and it also is possible to mark a "don't ask me again"
>   option.
>
> - If the user wants to change this policy later on, an
>   appropriate dialog offers these options (as suggested
>   by Kurt Granroth):
>
>   Enable Form Completions
>   ( ) Always
>   ( ) Only on unencrypted pages
>
>
> - In general (for this situation and for possible similar
>   ones): keep things secure first. If there's a tradeoff
>   situation between security and comfort, ask the user whether
>   comfort or security is preferred.
>
>   Be sure to make security changes very explicit to the user
>   (dialogs with a thick, red borders? Two confirmation dialogs?).
>
>   Never make the "insecure" option the default, as it can be
>   found in some Microsoft products. Otherwise, it might only
>   be a matter of time until this is exploited, resulting in
>   bad press for the KDE project.

   Yes this is a very good suggestion, and I hope we can see this in 2.2.1.
This is exactly the way it should work.

-- 

George Staikos

[prev in list] [next in list] [prev in thread] [next in thread]