unity-design team mailing list archive
-
unity-design team
-
Mailing list archive
-
Message #01460
Re: Farewell to the notification area
> And you think malware couldn't put up a systray icon tricking you into
> thinking you have updates? You think you would be able to tell the
> difference? The panel icon is just as fakeable as the popup.
Disagree. Because update-manager does not require gksudo, there is no
screen dimming or anything else that indicates in an obvious manner
that it is an actual update window and not a popup coming from the
browser.
(I'm not talking about popup in the browser window sense, I'm talking
about popups in the z-index sense, they can work because it is
very common for the user to use the browser fullscreen)
Thinking better, *even* with screen dimming the user can be tricked:
all it needs is from him to have a dark theme (so the non-dimming
of the browser toolbar and the panel would be less noticeable)
And the most important:
Saying "both alternatives are insecure, so since it will be insecure
anyway let's forget the issue" is not exactly the optimal way of
solving a problem. We should look for a third alternative if needed.
Follow ups
References