Comments on: Are Web Pages Still Safe? http://www.symphonious.net/2009/09/04/are-web-pages-still-safe/ Living in a state of accord. Fri, 12 Mar 2010 07:41:05 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Adrian Sutton http://www.symphonious.net/2009/09/04/are-web-pages-still-safe/comment-page-1/#comment-174245 Adrian Sutton Mon, 07 Sep 2009 11:12:37 +0000 http://www.symphonious.net/?p=1236#comment-174245 Ah, indeed your profiles do match what I was thinking, sorry missed that somehow. FireFox's timeout drives me nuts since it makes me wait even when I know exactly what the dialog is telling me and don't need to wait. For non-technical users I doubt it actually helps them to understand the dialog anyway. Profiles are likely to help here - asking "how much do you trust this site" is likely to mean more than asking if you want to install something. The other way to help matters is for browser to have a way to act as if they've given many of the permissions but not actually do it. For example, local storage might accept data but only store it for the current session rather than permanently. That kind of approach would let sites continue to work even if the user didn't want to grant them access, but it's very difficult to get right. I'm not sure there are any good answers to this problem - with malicious sites out there, you really need to force all sites to work with restricted functionality. If you then provide APIs they can take advantage of if the user takes action to allow it that's a bonus. So local storage is not allowed by default and sites have to deal with that, but if the user enables it they can provide faster access or an option to not store content on their servers etc. Web developers obviously want to access all this functionality all the time and be able to depend on it, but that means the malicious sites can too. Ah, indeed your profiles do match what I was thinking, sorry missed that somehow. FireFox’s timeout drives me nuts since it makes me wait even when I know exactly what the dialog is telling me and don’t need to wait. For non-technical users I doubt it actually helps them to understand the dialog anyway. Profiles are likely to help here – asking “how much do you trust this site” is likely to mean more than asking if you want to install something.

The other way to help matters is for browser to have a way to act as if they’ve given many of the permissions but not actually do it. For example, local storage might accept data but only store it for the current session rather than permanently. That kind of approach would let sites continue to work even if the user didn’t want to grant them access, but it’s very difficult to get right.

I’m not sure there are any good answers to this problem – with malicious sites out there, you really need to force all sites to work with restricted functionality. If you then provide APIs they can take advantage of if the user takes action to allow it that’s a bonus. So local storage is not allowed by default and sites have to deal with that, but if the user enables it they can provide faster access or an option to not store content on their servers etc. Web developers obviously want to access all this functionality all the time and be able to depend on it, but that means the malicious sites can too.

]]> By: Martin Probst http://www.symphonious.net/2009/09/04/are-web-pages-still-safe/comment-page-1/#comment-174244 Martin Probst Mon, 07 Sep 2009 10:55:13 +0000 http://www.symphonious.net/?p=1236#comment-174244 I totally agree. Fine grained permissions will not work, that is what I meant with "Profiles". And this is indeed a UI problem - I once read a study on how many users actually read message/permission/... dialogs on Windows, it's downright scary. At least on Windows, people are used to be bombarded with lots of meaningless dialogs, and are conditioned to just click a button without reading. If that doesn't work, they repeat and click the other button, again without reading. No idea how to fix that without some sort of popup though. Firefox' 3 second timeout might be useful, or maybe a query that forces you to select a specific access level instead of just confirming whatever the app wants. I totally agree. Fine grained permissions will not work, that is what I meant with “Profiles”. And this is indeed a UI problem – I once read a study on how many users actually read message/permission/… dialogs on Windows, it’s downright scary. At least on Windows, people are used to be bombarded with lots of meaningless dialogs, and are conditioned to just click a button without reading. If that doesn’t work, they repeat and click the other button, again without reading.

No idea how to fix that without some sort of popup though. Firefox’ 3 second timeout might be useful, or maybe a query that forces you to select a specific access level instead of just confirming whatever the app wants.

]]> By: Adrian Sutton http://www.symphonious.net/2009/09/04/are-web-pages-still-safe/comment-page-1/#comment-174243 Adrian Sutton Mon, 07 Sep 2009 10:25:45 +0000 http://www.symphonious.net/?p=1236#comment-174243 Yes and no. Fine grained permissions are great, except that they're very hard for most users to understand and take a lot of time to manage. They tend to result in the user being pestered by a lot of security dialogs. For almost all cases, you probably only need a few trust levels: Random site on the internet - todays restrictions or even tighter. You probably should discard cookies after a few days for example. - As a sub-category, browsers might automatically take note of commonly accessed sites and not flush cookies if that extra restriction did come in. Sandboxed - where the HTML5 spec seems to be heading. Allow a reasonable amount of local storage and treat it as critical user data, but still restricted so it can't interact with the rest of the OS or the file system. Full web app - like installing a desktop application but it runs in the browser. The install process should be like installing a desktop application too - more like an installer than just a permission dialog. The key is to put a good UI around all of this that is obvious to users so they discover it (unlike IE's current security zones) but doesn't involve popup permission dialogs. There may be even more finegrained permissions enabled as well (via a "Custom" option or similar) but I suspect we need a short list of things to allow so users can understand it. Yes and no. Fine grained permissions are great, except that they’re very hard for most users to understand and take a lot of time to manage. They tend to result in the user being pestered by a lot of security dialogs. For almost all cases, you probably only need a few trust levels:
Random site on the internet – todays restrictions or even tighter. You probably should discard cookies after a few days for example.
– As a sub-category, browsers might automatically take note of commonly accessed sites and not flush cookies if that extra restriction did come in.

Sandboxed – where the HTML5 spec seems to be heading. Allow a reasonable amount of local storage and treat it as critical user data, but still restricted so it can’t interact with the rest of the OS or the file system.

Full web app – like installing a desktop application but it runs in the browser. The install process should be like installing a desktop application too – more like an installer than just a permission dialog.

The key is to put a good UI around all of this that is obvious to users so they discover it (unlike IE’s current security zones) but doesn’t involve popup permission dialogs. There may be even more finegrained permissions enabled as well (via a “Custom” option or similar) but I suspect we need a short list of things to allow so users can understand it.

]]> By: Martin Probst http://www.symphonious.net/2009/09/04/are-web-pages-still-safe/comment-page-1/#comment-174242 Martin Probst Mon, 07 Sep 2009 10:14:56 +0000 http://www.symphonious.net/?p=1236#comment-174242 I think the only thing that can help here is a fine grained permission model, with browsers (and other apps) supporting profiles. E.g. an app can ask to access the network and your cookies in one profile, and/or the file system in another, higher level profile, and another one would allow access to hardware (think webcams and accelerated graphics). We need to move away from the "give this app all permissions" to a "give this app certain well known, restricted permissions". I think the only thing that can help here is a fine grained permission model, with browsers (and other apps) supporting profiles. E.g. an app can ask to access the network and your cookies in one profile, and/or the file system in another, higher level profile, and another one would allow access to hardware (think webcams and accelerated graphics).

We need to move away from the “give this app all permissions” to a “give this app certain well known, restricted permissions”.

]]>