← Back to team overview

unity-design team mailing list archive

Re: Possible security risk with update-manager

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Conscious User wrote on 14/12/09 14:50:
>...
> Matthew, he did say the example was very crude. Showing the status bar
> and/or the address bar was a valid solution some years ago. Today, with
> Javascript pop-ups, ubiquity of flash applets and rise of integrated
> web+desktop frameworks like Air, the game has changed a little bit.

Defending against UI spoofing is a fascinating topic for browser and
plug-in developers. It would be great if there was a reliable way to
distinguish between real self-opening windows and fake ones, and new
ideas for this are always welcome. But requiring people to click a panel
icon to access real windows succeeds mainly in hiding them altogether.
See for example the aggravation caused by Empathy's behavior in Ubuntu
9.10, where people try to message you and get ignored because the only
visible effect is a changed icon in the panel.
<http://arstechnica.com/open-source/reviews/2009/11/good-karma-ars-reviews-ubuntu-910.ars/3>

> In fact, a lot of javascript libraries have a resource to dim the page
> before showing a popup, exactly like gksudo does.
>...

Sure, but that has nothing particularly to do with Update Manager (which
soon, maybe in Lucid, will use PolicyKit rather than gksudo). I could
just as well put up a gksudo-imitating window saying "Sorry, the program
gconfig-spi closed unexpectedly. Enter your password to access the error
report".

Cheers
- --
Matthew Paul Thomas
http://mpt.net.nz/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksnTH8ACgkQ6PUxNfU6ecq6YwCgjpwHpdEvDY8CXbU/MvQzUX2p
9GMAoKewM3iaYNG0dSjLckuPlTT/Igvl
=m7Pt
-----END PGP SIGNATURE-----




References