Re: [Ayatana] Farewell to the notification area

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

On Sun, 2010-04-25 at 13:55 -0300, Paulo J. S. Silva wrote:
> That is the reason while the pop-up/under/what ever is a BAD idea. And
> the reason is that it is asynchronous, so the user is getting taught
> to respond to (possibly fake) windows request their password. This is
> a path for disaster if we ever get remotely close to solving Bug n. 1.

Option #1: Display an icon in the notification area that nobody clicks,
as a result security updates never get installed and system is
compromised from the lack of important security updates.

Option #2: Pop-up the update dialog demanding attention, most users
click to install the important updates and system is secure as system
security updates are always applied.

Side effect of Option #2: Some users may get fooled into typing their
password into a fake update-manager dialog inside a web page. So...what
does a web page do with the user's password once it's obtained? Not
much, as there shouldn't be much to do with it anyway if there is no
malware installed on the computer. A desktop computer should _not_ be
accessible from the Internet with a user's password.

>From a security point of vue, option #2 is a _lot_ safer.

> And, answering to Mark, yes it is much more difficult to fake an icon
> in the system panel because the system panel. The reason is that we
> are assuming that the system haven't been compromised yet, so there
> isn't any malware running on the system. What Jim, and I, and others,
> were talking about was websites spoofing the update-manager using the
> browser and technologies like flash. In this case it is not trivial to
> present a icon in the panel as there are only two possibilities for
> it:

If you don't have malware installed on your computer, the damage caused
by a random website obtaining the user's login credentials is low.

If you _do_ have malware installed on your computer, it can do anything,
including displaying in the notification area, or simply waiting until
the next time your user _needs_ to use his password.

> 1) The panel is visible and outside the browsers' windows borders. In
> this case the pop-up coming from the internet would need to ask the
> browser to open a new window and position that window on the right
> place to look like the update icon. Note that in this case the browser
> would need a new window and, if  I remember correctly, new windows are
> always created with the windows decorations around it. Then the fake
> icon (with window borders around it) would be easily recognizable.

The same goes with pop up windows, in order for it to appear in the
window switcher.

> I do believe that the system should only notify the user about
> updates. If the updates are security updates the system could be a
> pain (showing a notification bubble every 5 minutes if the user did
> not apply the security updates for some days). But the user should
> always be the one to call the update-manager window and hence trust it
> to give his password.
> 
> Then we could go back to common sense: if you haven't started a
> workflow where you know that you password will be required don't give
> your password!

This concept is completely foreign to regular users and I doubt it could
be something that could be relied upon. "Did you _do_ something for the
password prompt to be displayed?" is not a question most users would be
able to answer.

The whole "pop-ups aren't secure" argument sounds like an attempt to use
security as justification to revert back to the previous behaviour. The
problem is the previous behaviour isn't secure.

Marc.