On 7/2/12 05:31 , Robin Berjon wrote:
The first problem is that of the security model. A lot of smart people have
tried to come up with a lot of different solutions here, often involving
signatures, policies, intricate user interfaces, etc. I think that's all
massively over-engineered. Once you take into account the fact that the number
of applications that actually need this level of privilege is only a tiny
fraction of the whole, you realise that you can just give up on privilege
policies. These are just regular apps: they have unfettered access — period
(within the limits of the underlying platform's permissions system naturally).
They ought to be harder (and unusual) to install, and maybe should look
different, but that's it. We might want to give them strong CSP protection by
default to defend against XSS attacks, but that's a detail.
JCD: I strongly disagree with you there, Robin. I do not see why
"installed apps" should have more access. "Normal apps" and "installed
apps" should have the same security model, but "installed apps" may have
permanently remembered security clearances, and that could be the only
difference.
My proposal is as simplistic as yours, but in the opposite direction.
You are saying "installed apps" should have all rights, I am saying
"installed apps" should obey the exact same security as "normal apps".
In your system, it is dangerous to install an app, but it is very
simple. In mine, there is no danger, but it is a bit more work.
Having a difference between installed apps and normal apps is actually
counter-productive.
Java tried that for applets, and Java is now gone from the web apps stage.
Best regards
JC
--
JC Dufourd
Directeur d'Etudes/Professor
Groupe Multimedia/Multimedia Group
Traitement du Signal et Images/Signal and Image Processing
Telecom ParisTech, 37-39 rue Dareau, 75014 Paris, France
Tel: +33145817733 - Mob: +33677843843 - Fax: +33145817144
