Security and usability

Alex Russell alex at netWindows.org
Mon Aug 18 22:03:27 BST 2003 

On Monday 18 August 2003 15:33, Datschge wrote:
> Thank you for taking the time to collect all the exceptions, but I don't
> see how your collection is representative of the whole internet. Also I'd
> prefer you to use a less flaming tone in your responses. You're wrong if
> you think you are doing anyone including yourself a favor by flaming
> around.
>
> > Great, now almost all my sites are broken because I usually have all
> > static information (pictures, css, js) served from another domain because
> > I use mod_rewrite.
>
> Why spreading out the source over different domains? Most sites which do so
> use subdomains for this purpose, if at all.

I think this is a naive and broken assumption. As a web application security 
specialist, I can tell you that blocking these types of data isn't likely to 
yeild a significant positive outcome, but that's kind of orthoginal to the 
bigger picture.

The hardest part of security is figuring out what is _really_ important in a 
system, and what the credible attacks are. I don't see any indication that a 
threat model has been put togeather for this proposal, rather the proposal 
was more along the lines of "I think this will be good, what do you think?" 
(this is not a slam or meant to be denigrating, the disucssion of privacy 
features is something I wholeheartedly support). So far the debate has 
generally continued in this vein with examples and counter examples from each 
side. This is not the way to design or discuss security features.

Rather, let's break down the suggested features, one by one. Let's look at the 
threats posed by each type of data/action, figure out the frequency/impact of 
the problem, and take action based on consensus around those results. If you 
constrain your actions to those in which the benefit clearly outweighs the 
cost/inconvenience to the user (with the potential to lower that cost via new 
features), you'll wind up with a system your users actually want to use, not 
least of all because it does what they think it should (and provides options 
where those expectations differ) and only "breaks" things where there is 
tangible benefit to doing so.

Anyway, if this discussion were really about privacy, we'd be talking about 
making things like anonymizer.com easier to use from inside the browser 
(avoid explicit login w/ them, remove need for explicit anonymizer frame, 
etc...) as well as encrypting temp files and throwing away the key at the end 
of a browser session, those kinds of things. As it stands, it sounds like a 
pissing match, which really isn't helping us get anywhere quickly.

So what do you say? Anyone up for some threat tree modeling? I know I'm game.

-- 
Alex Russell
alex at burstlib.net
alex at netWindows.org

More information about the kfm-devel mailing list