2012/3/8 Jim Straus <jstr...@mozilla.com>: > Hello Adrienne - > Thanks for the good thoughts. I think we all 100% agree that installation > time is the wrong time to ask. I'm wondering about your thoughts on asking > for all permissions at the same time (in a list, with the option to > selectively allow different permissions) or as they are used? The former > seems less obtrusive, since the user is only interrupted once, but tends to > lead to users just approving everything without thinking about each > permission. I guess part of the decision will be how many permissions we > expect any specific application to need. If it is one or two (like > geolocation and contacts), as you go would be okay. If it is more than two > or three, getting multiple requests is going to be too intrusive.
Another reason that asking for permissions at once is that it's hard to build a UI for that that users would actually read. I think it's generally considered that putting a big dialog in the user's face asking them to make a security decision generally simply makes them click "whatever button that will make this dialog thing go away so I can get back to what I was doing". I.e. users too often just try to dismiss it without bothering to read it's full contents. However what seems to work better is if you actually put the relevant text in the actual buttons that the user is pushing. So instead of having a dialog saying "This website wants to know where you are currently located. Do you want to allow this" and to buttons that say "yes" and "no", users will read the two buttons and try to figure out which one will make the dialog diappear. However if you instead make the dialog say "This website is trying to get your current location. What do you want to do?" with two buttons that say "Give my location to website" and "Deny access", then you have a better chance of getting a more relevant answer. If you lump all your questions together into a single dialog, you'll have a very hard time using that trick. > The idea that some permissions are implicitly provided (based on a previous > decision or some heuristics) is part of the plan. But we may still want to > enumerate the permissions in a permissions manager application so a user can > see what things an app is using and explicitly turn them on or off even if > they are enabled or disabled by default. Using heuristics I think will be hard. But I do think that we should have a default policy for websites as well as a default policy for installed apps, and that those policies should be user configurable. > I agree that framing things in terms of explicit risks is a good idea, but > can we always say what they are? Letting an application know your IMEI can > certainly be used to "track you across applications" is one risk, but an app > could also use it for other nefarious uses. And there are reasons where > granting IMEI is legitimate. Trying to come up with the right messages might > be impossible. Maybe provide both pieces of information is the best solution. I.e. make the dialog say "This app wants access to your IMEI number. If you grant this access they can do evil actions X and Y. And if you grant access to multiple apps they can track you across apps." and then make the buttons say "Grant IMEI number" and "Don't grant IMEI number". > On the idea that permissions should be built into the user's natural flow, I > agree. I think it goes further. If we can determine that a user explicitly > took an action to perform a task, we can assume they have implicitly given > permission. If a user presses a shutter button to take a picture with the > camera, they are implicitly giving permission to use the camera. Likewise, > if a user enters credentials for Facebook, we can assume they want to post to > their Facebook wall. Whether we can do this at all or in some cases for web > applications, I don't know yet. How will we know that the user pressed something that looked like a shutter button? Especially given technologies like clickjacking and CSS. > I like the idea of auditing. I'm not sure what you mean by when a specific > permission is actually used, but the idea of giving the user a sense of how > often an application is using the permission is certainly possible and could > be shown in a permissions manager. If we allow a the user to change the level of access from "allow" to "prompt user when used", then that should enable the user to be to see when a given capability is used. / Jonas _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
