[3478] in WWW Security List Archive
Re: NS Security Prompt Not for Novices
daemon@ATHENA.MIT.EDU (David W. Morris)
Thu Nov 7 06:50:39 1996
Date: Thu, 7 Nov 1996 00:42:24 -0800 (PST)
From: "David W. Morris" <dwm@xpasc.com>
To: Dave Kinchlea <security@kinch.ark.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.LNX.3.94.961106113922.28318A-100000@kinch.ark.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 6 Nov 1996, Dave Kinchlea wrote:
> On Tue, 5 Nov 1996, David W. Morris wrote:
> [...]
> > I just encountered the following prompt
> > when accessing a web page:
> >
> >
> > >Warning: There is a possible security hazzard here.
> >
> > Netscape will launch the application c:\windows\sndrec32.exe in
> > order to view a document.
> >
> > You should be aware that any file you download from the network
> > could contain malicious program code (applications) or scripting
> > language (documents). Simply viewing the contents of these files
> > could be dangerous.
> >
> > Take precautions: donot download anything from a site that you
> > do not trust.
> >
> > Are you sure you want to continue?
> >
> > ++
> > ++ don't show this for c:\window\sndrec32.exe again.
> > Note: To show this alert again, edit your NETSCAPE.INI file.
> >
> >
> >
> > ( the ++/++ above is a check box).
> >
> > After some effort, I guessed that the file was the *.wav file
> > embeded in the html file. How a basic user could make a rational
> > decision is problematic.
> >
> > Dave Morris
> >
>
> I am not sure what your point is here, nor do I know what you mean by a
> `basic user'. This all seems pretty clear to me: Netscape is warning you
My point is that this warning provides no information which a normal/basic
user could reasonably be expected to make a decision on what the safe
response is. I define a 'basic' user as almost anyone for whom a computer
is a tool and not an end onto itself. All of my siblings are computer
literate and would have no idea how to respond to this message or even
what to do except call me for advice. Frankly a fair percentage of
the internet application developers I work with would have difficulty with
the analysis.
The message talks about being careful about downloading files from
untrusted sites but doesn't specify the site the file came from. It
also doesn't show the file in question.
Then to offer the granularity of don't prompt again for this application
again is totally worthless in the context of a message box which talks
about trusting download sites. I reasonably trust the application, it
came with Windows but I have no idea if the application (like Word or
javac) can be contaminated by the data it handles. To enable a user to
follow the Netscape suggestion of caution about the site they download
from the issues isn't if the application is asked about in the future but
if the download site is asked about. And one of the choices should be
to not prompt AND not run the application, as well as trust the site
in the future or prompt for this site in the future or not prompt and
not accept files from the site in the future.
All this prompt will accomplish is to teach the average user to
click OK to yet another annoyiung message box from the computer.
> that a particular application (which they name with a full file spec) is
> to be launched IF AND ONLY IF you allow it. It provides a way to not be
> continualy annoyed with this notice, on an individual application basis if
> that is your preference. Presumedly, any user would be happy to have this
> information and I have trouble believing that *anyone* would not know what
> Netscape was asking.
>
> I DO believe that many would not understand how `malicious code ....' will
> interact with their computer, but I think it is reasonable for people to
> key on the well known word "malicious". Only a fool would blindly say yes
> to this if they didn't understand what was happening (and yes, there are a
> lot of fools but how is that Netscape's problem?).
Its their problem when even experiences users have to work to figure out
what the response should be.
>
> While the 8.3 limits on names sometimes makes it difficult to know what
> the Application is, I don't believe there is too much difficulty in
> determining that this is the Sound Recorder (32 bit version) but that is
for who do you believe this isn't too difficult? Surely that is a key
point ... if you don't know what the application is how do you figure out
if there is any risk running the application on a downloaded file?
> neither here nor there.
And is a *.wav file dangerous?
>
> What exactly is your complaint, and how would you do things differently?
>
> cheers, kinch
>
>
>
