On 18/03/12 01:59 AM, lkcl luke wrote:
On Sat, Mar 17, 2012 at 10:17 AM, Andreas Gal<[email protected]> wrote:
We have trained users over a long period of time to think of sites/origins and
not the actual code when making security decisions.
and, also, unfortunately - don't think of this as criticism, think of
it as "useful insight" - the mozilla developers as well.
We have trained users forever to accept things like padlocks and CAs and
warnings and all sorts of things. Unfortunately little or none of the
training stuck. When the browsers started removing the padlocks, nobody
noticed. When the CAs started issuing certs for other domains, only
chrome noticed. And even then, only a user who happened to be
particularly thoughtful and aware and involved noticed that chrome
noticed... probably because we had trained users for so long to pay
attention to warnings, and for the most part users had done exactly the
opposite.
Unfortunately, I have to agree with some of my antagonists in this
debate. Users just want it to work, and any training is approximately
futile for the net generation. Apple understands this (although they
don't get it right all the time). The challenge is to make this
seamless and not let the security model interfere with that.
The whole code signing discussion is a total distraction here.
no andreas, it's not. if you genuinely believe that the *entire*
discussion should be solely and specifically restricted to not involve
*any* code-signing of any kind, then i'm sorry to have to be the one
to point out that you're simply not qualified to be involved in the
discussion.
Well. It is the case that some code-signing experiments such as those
conducted by the PKI system have not worked as well as expected. This
is probably most politely put down to a mismatch in expectations. It is
not unreasonable to look at these experiments and assume that
code-signing is a woftam. But that would be wrong.
In the alternate, the debian system also shows a flaw - it will likely
only work in the "everyone-is-debian" model. This is a little like the
"Apple-bites-your-life" model except everyone is individual and personal
and technically competent at some level within the debian world.
Everyone has engaged into the same single model (e.g. signing parties
and implicit contracts) already.
Whereas here, the team seem to have set an explicit goal of many
interacting communities. This will make it harder for code-signing
because certain community-based defences that are inherited by being in
the same place won't work as well. E.g., Debian's shop will assume GPL,
FreeBSD's shop will assume BSD, etc.
In other words ... I'm keen to see how strong this requirement is for
multiple everything and seamless movement. Because it does set us up
for the most exciting of rides in creating an ecosystem & society of apps.
that's not a personal criticism, it's just a statement of fact. it
falls to me - the "outsider" and the person whom everybody likes to
think of as "oh christ that fucking arsehole again, let's ignore him"
Hey! That's my job :)
- to point that out. ah well. can't be helped.
iang
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
