Stephan Wehner writes: > You seem to be suggesting a huge number of settings. I submit the > average user will only get confused.
The average user will run with defaults. However, power users and network administrators will want to customize the settings to improve security. Remember, it's the friendly defaults that got MSIE into trouble. > The amazing number of settings of IE that you mention doesn't convince > me -- it looks to me more like MS is trying to intimidate users. Users don't even know about those settings, except for the power users and administrators mentioned above. If you can't disable dangerous functions, you cannot protect against viruses, worms, adware, and spyware. But if you can only disable them on a global basis, you make it impossible to surf many sites that are trustworthy to some degree. The only solution is to allow flexible configuration of security, so that some sites are trusted, and others are not. MSIE allows this, and when the feature is used, MSIE provides for safe and flexible surfing. Most of the security problems with MSIE stem from the fact that nobody is using these settings, but people in the know (such as myself) use them heavily to control security. In order for Firefox to provide similar security without getting in the way of surfing, it needs to have similar flexibility. Turning everything on or off for the entire Web at once just isn't versatile enough. > If you want the user to disable this or that feature before entering a > site, fine. On the other hand, why should the user even need to know > about this or that feature in the computer world. The user need not know about it. But those of us who do know about it want control over it. For example, right now, I have Javascript, ActiveX, and Java turned off for everything on the Web by default in MSIE. If I trust a site, I move that site to the list of trusted sites, for which the settings allow Javascript (and ask me for permission for ActiveX). With Firefox, I don't have this flexibility: I can turn Javascript on or off, but only for every site in the world at the same time. I cannot enable Javascript selectively for trustworthy sites while leaving it disabled for all other sites. It's interesting that Firefox does provide for a simple list of allowed sites for pop-ups and software installation, but not for Java or Javascript. It needs to provide this for everything, and preferably in categories so that it's not just on/off for all sites. If this is not done, you can rest assured that Firefox will be even more vulnerable to attacks in the future than MSIE has proven to be. -- Anthony _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
