[3497] in WWW Security List Archive
Re: NS Security Prompt Not for Novice
daemon@ATHENA.MIT.EDU (Dave Kinchlea)
Fri Nov 8 16:24:55 1996
Date: Fri, 8 Nov 1996 11:15:32 -0800 (PST)
From: Dave Kinchlea <security@kinch.ark.com>
To: "Kevin J. McMahon" <0003557428@mcimail.com>
cc: www security <www-security@ns2.rutgers.edu>
In-Reply-To: <01961107230410/0003557428DC4EM@MCIMAIL.COM>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 7 Nov 1996, Kevin J. McMahon wrote:
> Dave Kinchlea and David W. Morris wrote:
> >[lots of stuff about the merits or lack of warning users about downloaded
> >software].
Actually, I don't think either of us were arguing about these merits,
I believe we both agree that it is a useful and good thing to do
so. Where we disagree is exactly HOW to warn users and whether the
current message from Netscape achieves the stated goal.
>
> The most basic problem in security is that the end user is not even
> aware that there is a problem. Many of the Unix vendors have taken
Indeed, they are not aware (even many so-called sophisticated
users). I contend that it is inherently difficult to make so-called
`basic' users aware of the problem as they are not interested in the
technical aspects of what they are doing. It is, of course, the
technical aspects that makes it dangerous. What I tried to show in my
tounge-in-cheek `New NS PopUp message' was that simply offering more
choices and more information in the message is not enough. These basic
users will NOT take the time to read and understand the message, no
matter how much information you provide (in that popup). I don't
pretend to have the answers (perhaps the reference to Computer Human
Interfaces does, but I doubt it) but I am damn sure that offering more
choices to these users, without offering them concrete examples that
are meaningful to them, will *not* help one iota.
Also, waiting until such a time as they are doing something insecure
to warn them that it is insecure is a bad idea. They are not
interested right then, they want to download whatever it is they
clicked on. They need to be aware *BEFORE* they attempt to make the
download in the first place.
> a beating because their software is inherently vulnerable, out of the
> box, with no warning to the users. I think Netscape should be applauded
> for their inclusion of such a warning. Granted, there are probably
As do I, which was my original gripe to David's original message.
> better ways of implementing this; but at least they have made the initial
> attempt.
No doubt there are better ways, but I do not know what they are and I
do not believe that David does either.
> Suggestions, like allowing the site to be marked as trusted, are the
> kinds of thing that I would hope Netscape would consider in a future
> release.
Until and unless IP spoofing AND WWW hacking becomes a thing of the
past, I think it is a terrible idea to trust a site (in the general
case). While I believe it is possible for some sites to be trusted by
some other sites, offering this choice will only give the end-user a
false sense of security. It will be abused, they will find out that
all they have to do is to `trust' each site as it first pops up the
message and that anoying message will not popup any more. They won't
understand the consequences of the trust they are placing on a site,
they may even believe that if one user at a site can be trusted, why
then ALL users at a site can be trusted. As well, there is no reason
to believe that a `trusted' site this week should be trusted next week
(again, in the general case), people come and go, including
system/network/web administrators.
> Some confusion is bound to occur with even the best implementation.
> At least people will be made aware that there is an issue. If they
> don't understand it they will, hopefully, ask someone about it and become
> better educated in the process.
Which I believe Netscape is doing fairly well with their current?
message, it provides enough of a teaser that people ought to think
twice and peraps look into the issue deeper. David Morris appearently
does not agree.
> Security is defined as inconvenience. It is a rare bird indeed that
> is more secure and easier to use.
Exactly. I think it is a mistake to let people use the web/Internet
with the impression that they are playing around with harmless
tools. Users should be encouraged (perhaps forced?) to learn much more
about the tools they are using to see the danger that they place
themselves in. Education is the answer, but there is money to be made
out there and educating users is something that gets in the way of
making money. Businesses are afraid to scare away people with horror
stories about what could actually happen.
I would be in favour of seeing some kind of warning placed on the
software itself, to be read *before* it is installed. Let new users be
aware that installing and using the software they have just purchased
could be hazzardous to the health of their computer. People are funny,
many folks believe that if they are not directly warned about
something at the time that they purchase it, there is nothing wrong
with that something. As silly as this sounds, it is human nature (or
perhaps just a consequence of having so much regulation in our lives
that we tend to believe that if something isn't regualated, it doesn't
need to be?).
cheers, kinch
