On 1/4/11 6:15 PM, Glenn Maynard wrote:
No general security model can be built around requiring the user
to understand the technical issues behind the security.
Agreed.
At the same time no general security model should be build around
requiring users to make decisions based on no information.
So in brief, asking the user is just a bad security model...
Note that you keep comparing websites to desktop software, but desktop
software typically doesn't change out from under the user (possibly in
ways the original software developer didn't intend). The desktop apps
that do update themselves have a lot of checks on the process precisely
to avoid issues like MITM injection of trojaned updates and whatnot. So
in practice, they have a setup where you make a trust decision once, and
then the code that you already trusted verifies signatures on every
change to itself.
Perhaps we need infrastructure like that for websites; I'm not quite
sure how to make it work, though, since the code that the user trusted
once is not known to still be ok, unlike the desktop app case.
-Boris
