On Mon, Apr 21, 2014 at 11:33 PM, Chris Hellyar <[email protected]> wrote:
> On 20/04/14 15:14, Jim Cheetham wrote: > >> If you think that you need to support browser versions that are >> unsupported by their own authors then I'd consider offering graduated >> services - if you connect with weak ciphers, use OTP instead of just a >> password, for example. >> > > Hi Jim, > > I think in a lot of cases commercial reality wins over any sort of > sensible security graduation/degrading like that. Degrading the service to zero is obviously a flat loss, but you might be able to get in something like an "express checkout for modern browsers only". In the ivory towers of non-commerce we have to deal with risks differently instead of pretending they do not exist (i.e. would reduce in fewer sales; or can be passed on to the credit-card agency instead). But it isn't "reality", it's "ignorance". In the online shopping world where requiring a password before checkout vs > after can make a 50% difference in conversion having any sort of security > 'impediment' might be financial suicide. (Depending on vertical, > engagement and quality of funnel/pre-sell) > Which is sort of the risk point, isn't it? If the only factor that matters is conversion, why bother with any security features at all? If you can classify your potential security issues with old browsers, insecure codebases and bad ssl ciphers into terms of conversion (i.e. long-term confidence after a beach, which seems to be unaffected!), you get the money to operate; if you can't, you don't. Tell them that security features are insurance and you might be able to get it into terms they understand. But then again if security isn't your main job, just make sure you have put your concerns out and up the management chain, so when it all goes wrong one day (hopefully never) you have clear protection, and some pre-suggested ways forward. That's your insurance :-) -jim
_______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
