[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-usability
Subject: Re: Security and usability
From: Roland Seuhs <roland.seuhs () hasos ! com>
Date: 2003-08-18 21:18:12
[Download RAW message or body]
Am Montag, 18. August 2003 21:31 schrieb Aaron J. Seigo:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Monday 18 August 2003 12:40, Roland Seuhs wrote:
> > Wow, I write 2 pages of reasons why to remove the cookie popup and now
> > you propose replacing it with 2 popups.
> >
> > Did you even read what I wrote?
>
> ok, enough with the flame-worthy material. calm down ....
>
> you are both right and wrong, IMHO:
>
> there HAVE been problems with cookies in the past, both security and
> privacy related. the latter is the larger issue, but the former has
> occurred. why do you think so much emphasis has been put on using session
> id's instead of storing the username/password in a cookie? that's right:
> there's been abuses.
There have also been cases of writing root-passwords on post-it notes and putting \
them on a screen in a busy office.
Yet I don't see you wanting to ban post-it notes.
If a webmaster doesn't care about security (and storing username/passwords in cookies \
falls into that category) that can't be used as an argument to diss cookies as a \
technology.
> you are also wrong to assume that everyone turns it off. most users won't
> simply because most users don't mess with their settings that much and just
> go with the defaults.
Actually I also wanted to point that out. Actually if I would assume that everybody \
would turn it off, I wouldn't have written my post because then the defaults would be \
irrelevant anyway.
I recently was looking over the shoulder of a medium-computer literate user and he \
still clicked away the warning everytime he filled out a form. For at least 4 years \
now. I couldn't believe it.
Please turn off that dialog.
> many sophisticated users keep it on because it IS
> very useful.
I think sophisticated users can change the defaults.
However I don't think sophisticated users use the "what you entered is not encrypted" \
(see above) dialog. Please get rid of it.
The same goes for the file-upload warning which currently can't even be turned off.
> but you are right in that worthless popups cause people to start ignoring
> them. the cookie popup doesn't suffer as badly as others since the
> information in it is dynamic and more extensive than usual: this tends to
> give people pause.
>
> making the defaults something in between such as "Automatically accept
> session cookies" and "Only accept cookies from originating server" would
> probably be enough, no?
> this means you only see cookie popups on occasion,
> and often only when they are a privacy issue. of course, those are already
> the current defaults.
Everything that can be stored in a cookie can also be stored on the webserver.
Blocking cookies is only giving a false sense of security in my opinion.
But OK, let's keep cookies the way they are but at least let's get rid of
- The dialog that pops up when a user sends a form
- The dialog that appears when a user uploads a file
in the default settings.
> making things ultra-lax for fear of annoying the user is what leads to
> situations such as Microsoft's horrible security record with things such as
> email clients and web browsers.
I wouldn't be complaining if there were mass-infections or viruses related to \
cookies.
> making things ultra-locked-down without care for the user isn't good
> either, of course.
My point, exactly.
Roland
--
There cannot be a crisis next week. My schedule is already full.
-- Henry Kissinger
_______________________________________________
kde-usability mailing list
kde-usability@mail.kde.org
http://mail.kde.org/mailman/listinfo/kde-usability
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic