Gervase Markham writes: > Ideas such as this have been proposed in Bugzilla - please find the bugs > and read them to see the current state of the debate.
I'm only interesting in what I actually see in the browser, as that's what I have to use. > However, I'd say that if we ever end up with a security UI 1/10 as > complicated as Microsoft's, then we've failed in our duty to protect our > users. Actually, the complexity of MSIE's security options is one of the few points in its favor. The ability to precisely configure security is extraordinarily important in any software that access the Net today. Anything that does not allow extensive customization will doom users to security breaches, which have very high visiblity. > I suspect a lot of MS's security UI is necessary because they add > features which are security holes, then can't remove them, so they > provide a way to turn them off - giving you a choice of letting your > site work and being exposed, or breaking it and being secure. Security is always a choice between exposure and safety. To be completely secure you must disable everything; to be completely flexible you must enable everything--but then you become vulnerable in terms of security. There isn't any way around this. However, a good product lets you decide exactly how much risk you want to take by allowing you to precisely control exactly what the product will or will not do in its interactions. This is especially important for products like browsers that have extremely high exposure to attack from the Net. > You haven't yet established why these zones are necessary. Yes, I have. Zones allow you to control access with a high degree of granularity at low administrative cost. Controlling sites individually is too much administrative overhead, and having all-or-nothing settings for everything at once is too restrictive and insecure. Most ACL schemes used in IT embody some sort of grouping mechanism to ease administration without greatly sacrificing granularity. > If Java is safe, it should be enablable everywhere with one switch. If > it's not safe, it should be disabled until it is. The world is not that simple. Programming languages are not safe or unsafe; only individual uses of those languages are safe or unsafe. Just enabling or disabling Java for the whold world is so coarse that it is useless. All programming languages are useful; but all of them have security issues. There's no way around this. But if one can individually configure the ability to use a given language based on how much one trusts the user, there is no problem. If it's all-or-nothing, one must either open one's machine to every conceivable attack, or completely discard any utility offered by the programming language in question, and neither option is particularly useful. -- Anthony _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
