Ian G writes: > I'm not sure I see that. The number of sites is > already so great, and users don't adjust anything > in IE .. not that I ever heard of. So how can it be > possible to be impossible to manage?
It's unlikely that every site requires different security settings, but the number of sites that might not be suitable for the default settings can become very large (hundreds or thousands of sites, as in my case). There may be hundreds of individual security options, too. It's easier to define a half-dozen categories or so and adjust the security settings for each category, then place individual sites into the category for which they are best suited. Then you don't have to set options for every single site, but you still have a lot of flexibility concerning security levels for different sites. The more categories you have, the greater the flexibility. MSIE only provides four categories, and two of those cannot have sites added to them, so the flexibility of MSIE is limited. > For those afficionadi who adjust like crazy, I think > the onus would be on them to design (and perhaps > build) a nice site adjuster that didn't slow them > down. They may as well write their own browser, then, if they're going to write code that does what the browser is supposed to be doing. > Ah, ok that answers my earlier question - the > set of categories is fixed as far as the user is > concerned. Yes. Maybe six categories by default. If the user really, really wanted to change the categories, he could do so with a configuration file or a registry entry or something, but there'd be no user interface to do it. For each of these categories, he can fully adjust the security parameters (of which there may be a hundred or so, as in MSIE). Then he can put individual sites or groups of sites into each category, and decide which category will serve as the default for sites that aren't otherwise categorized. Now he has complete user-friendly surfing for sites he fully trusts, completely safe surfing for sites he doesn't trust at all, and several levels in between, thanks to this system. > With the relationship information for the rest > of the site "of course" :-) I say that knowing > that such information isn't recorded as yet... That's a lot of information to be recording, given how many sites a user might visit. > That's why I suspect that Firefox will always deliver 'safe out of the > box.' Start out safe, and then loosen up. The trick seems to be that > Firefox has to suggest that something is being tried and there is an > opportunity to loosen up. I hope that it stays safe, but we'll see. Right now, there's a problem with safety already. If you don't trust Javascript on some sites, you have to turn off Javascript. But if you turn it off, it is turned off for _all_ sites, not just the ones you don't trust. So you have to choose between safe surfing but with many sites that won't work, or unsafe surfing but with sites that will work, because the option is all or nothing. > Exactly! Another possibility is the loadable security settings. If a system administrator wants to roll out Firefox to a thousand desktops, he can automate the loading of the security parameters with each installation, so that every user has the same security parameters and the same list of sites in each category. For this to work best, it would have to be possible to lock the security settings in a corporate environment, but even without a locking feature, the ability to load new security settings in one operation would greatly encourage the use of Firefox on corporate desktops. A company could be as strict or as liberal as it wished about security, based on the security information it loads into each copy of Firefox. -- Anthony _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
