On 5/17/2010 10:23 AM, Nelson B Bolyard wrote:
On 2010-05-17 08:41 PDT, johnjbarton wrote:
Cormac Herley provides a detailed exploration of dangers of
inappropriate security warnings:
https://docs.google.com/viewer?url=http%3A%2F%2Fresearch.microsoft.com%2Fen-us%2Fum%2Fpeople%2Fcormac%2Fpapers%2F2009%2Fsolongandnothanks.pdf&pli=1
Why would you send us a google URL, that forces users to register with
google, just to obtain access to a copy of a document that is available for
free without registration at its source web site? Read it at
http://research.microsoft.com/en-us/um/people/cormac/papers/2009/solongandnothanks.pdf
Check esp. section 7.6 "So What Can We Do?".
This paper is about a year old, and we discussed it here when it was now.
My favorite quote:
"Given a choice between dancing pigs and security,
users will pick dancing pigs every time."
It's so true. If you really want to disable all security warnings, there is
a Firefox extension that will do it. Just use it. Maybe you could even
improve it to display dancing pigs!
The quote above was taken out of context. The remaining paragraph starts:
----
While amusing, this is unfair: users are never offered security, either
on its own or as an alternative to anything else. They
are offered long, complex and growing sets of advice,
mandates, policy updates and tips. These sometimes
carry vague and tentative suggestions of reduced risk,
never security. We have shown that much of this advice
does nothing to make users more secure, and some of it
is harmful in its own right. Security is not something
users are offered and turn down. What they are offered
and do turn down is crushingly complex security advice
that promises little and delivers less.
----
jjb
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
