Ben Bucksch wrote:
>
> (Repost, because the news server had propblems the last time.)
>
> Xplo Eristotle wrote:
>
> > As a user who's technically-competent in general, but has little-to-no
> > knowledge about the kind of security you're trying to achieve here,
> > allow me to make some points. Consider this "user feedback", by all means.
>
> Xplo,
>
> please understand that PKI (and probably trust in general) *is*
> inherently a complicated world. You have to spend at least an hour or
> two to understand what this is all about.
My problem, and the basis for my previous post, is essentially this:
despite the occasional need for security on the internet, the majority
of the interface you describe is going to be utterly meaningless to the
majority of Mozilla's users (IMHO), and has nothing really to do with
the function of a browser, which is - to be brief - displaying web
pages. My purpose is not to criticize your work from the standpoint of
someone well-versed in crypto, or to pretend that I know more about it
than you do; rather, as I pointed out in my earlier post, I am speaking
as a Mozilla user with some understanding of good UI design principles,
and of their importance. I am supporting mpt's assertion that what you
have now sounds far too confusing for someone like myself.
To give a more specific example of how this is a problem...
> 2. If you just want to transfer your credit card number to a web shop
> without anybody listening, you have to understand only a fraction
> of PSM and its UI.
Which fraction would this be? And when in the past (if at all) have
users been required to understand this fraction, and if they were, how
were they made to understand it? If I need to mess with some sort of
preferences, and the phrase "and its UI" leads me to believe that I do,
how will I know which part to mess with, and what to do with it?
> > I've only seen a certificate used once in all my time on the web.. and
> > that was for something stupid. (Downloading a piece of software, IIRC.)
> > I have yet to understand what use these are to anybody, or why they're
> > apparently given out free to everyone who downloads a browser; what good
> > is a lock if everyone has the key?
>
> I'm sorry, but this shows that you are lacking even enough knowledge for
> the 2. task above.
I'm afraid not, since I have *done* #2, above.
What this indicates to me is that this aspect of browser security can be
made transparent (or nearly so), since it has been already. Which means
you should be going back to the drawing board.
> in short: A certificate is something like a digital ID card. It is used
> each time you use SSL to authenticate the website. Without the cert,
> https just wouldn't work. It allows you (and the browser) to see the
> originator of the data (according to the CA).
It still doesn't make sense. If the browser can be made to do this with
a certificate, which as far as I can tell is simply a generic piece of
data stored on the user's hard drive, then why require "certificates" at
all? Why not just have the browser do this by default?
However, since the answers would fall beyond the scope of this thread,
and you can't likely change the (weird) system already in place, I'll
move on. My point here is simply that the typical web shopper - who is
in turn probably a fairly typical user, as well - shouldn't be expected
to understand this technology, and has never needed to.. at least not to
the point of fiddling with some UI to buy a book securely, let alone
sifting through what seems to be an excessively complex and arcane UI to
do it...
> >> When things are working correctly with
> >> your smart card, you don't need to go here. If things are not working
> >> correctly, however, you'll need to a way to see which modules are
> >> loaded, and which tokens are present.
> >
> > What on earth are you talking about?
>
> Are are unfair here. If you never used a smart card, you are not
> supposed to understand that.
On the contrary, I'm being completely fair. If I'm not supposed to
understand that here, then why am I expected to understand it in the UI,
even if the correct thing to do is ignore it? Security through obscurity
is an exceptionally poor design philosophy, IMO.
> > Mozilla is a piece of software, not a
> > peripheral. Why does it need hardware drivers?
>
> Windows is also a piece of software, nevertheless it has a Device
> Manager and hardware drivers.
Windows is an operating system, and its purpose *is* to handle all of
those things. Regardless of hype about "internet platforms", Mozilla is
not an OS, and it does not have this purpose.
I'm ignorant about the finer (and many of the blunter) points of
internet security, but I'm not an idiot. Spare me comparisons as
inadequate as this one, please.
> > Shouldn't the OS be handling all of that?
>
> What, if the OS doesn't?
You're telling me that the OS can't handle a peripheral and its driver,
despite being designed for that purpose?
> > Greek to me, pal. I don't know who these people are who use this stuff,
> > but it sure as hell isn't me, and it isn't anyone I know.
>
> Obviously. Why are you commenting here then?
If you still don't know why after reading this far, I strongly suggest
you find outside help for both your UI design and your user studies,
because you are obviously missing the point.
> >> Users choose weak passwords. But unless they get feedback on what's
> >> "worse" and what's "better", they're not going to improve the quality of
> >> their passwords.
> >
> > Finally, something in English. But this is silly; anyone who'd be
> > messing with this much security stuff in the first place surely knows
> > what kind of passwords to choose.
>
> No. Unfortunately no.
>
> Weak passwords are one of the largest security problems overall. I think
> that a "password quality meter" is a *very* good idea.
>
> > What? People don't read documentation? Well, surely that's their
> > problem. RTFM, yes?
>
> No, with weak passwords, it's usually not only their problem. If a
> password is broken, an attacker might get access to sensitive data or
> resources. And these data and resources are usually *shared*, like
> private emails (there always also a sender), company secrets etc..
As far as I'm concerned, RTFM still stands as a guiding principle here.
There's no way that a user so infamiliar with security as to not
understand password strength (a concept which even *I* am familiar with,
despite supposedly being unable to buy things securely online) is going
to be able to figure out what the strength meter is and how it works
UNLESS you document it somewhere.. and the space you use for that
documentation could easily be used to educate the user about password
strength instead.
Sorry, but your logic seems pretty thin here, and the strength meter a
gimmick at best.
As far as everyone suffering if secret data is compromised by a weak
password broken by a hacker, tough shit. If security is *that* important
to people, then it's *their* *responsibility* to see that it's properly
taken care of, by informing everyone involved of the appropriate
security procedures, and making sure that they are properly followed,
just as it has been for decades. It's not Mozilla's responsibility, or yours.
> >> You might also
> >> want to turn off the low-grade encryption ciphers to make sure you're
> >> only using the high-grade crypto.
> >
> > Shouldn't the high-grade crypto stuff be on by default, and transparent
> > to the user?
>
> It is. But you missed the "only"! If low-grade ciphers are enabled,
> things might be *too* transparent - the transaction might use relatively
> weak crypto while the user assumes strong crypto. If low-grade ciphers
> are disabled, you might not be able to communicate with some servers
> (which only support that relatively weak crypto).
Point; I did misread it. However, this raises the question: will I ever
be required to alter these settings, or in the case that I see something
about "weak crypto" and decide to disable it "just to be safe", how will
I later know whether or not I'll need to turn it back on? Will Mozilla
inform me that the server I'm trying to connect to uses only weak crypto
and that I need to turn the weak crypto back on?
Let's discuss UI, and assume for a moment that it does present a
meaningful error message. Most likely, this error message will be in
some sort of dialog window, since that's more or less universally how
errors of this sort are presented. How difficult would it be to have an
error dialog that gives the user the option or temporarily re-enabling
the weak crypto without having to go into the preferences and change
them? For example:
The server you are trying to connect to requires
[technology], but you have disabled [technology]
in your security preferences. Would you like to
enable it for this transaction only?
[ OK ] [ Cancel ]
(Yeah, the buttons are in a silly place. That's not important; it's only
an example.)
For that matter, something similar could be done wherever the above
situation would apply. Asking the user if he wants to use something that
he's already disabled would not be a problem in this case, since you
would be reporting an error that would need to be read and dismissed
regardless of whether you give the user the temporary enable option or
not, and it would be far more convenient than forcing him to change his
prefs, access the server again, and then turn them back off again if he wanted.
This certainly won't fix all the problems with the UI, and doesn't even
pretend to address them all, but it seems to me like a step in the right direction.
-Xplo
