unity-design team mailing list archive

[Chow Loong Jin <hyperair@xxxxxxxxx>]

On Monday 26,April,2010 01:39 AM, Marc Deslauriers wrote:
> On Sun, 2010-04-25 at 13:55 -0300, Paulo J. S. Silva wrote:
>> That is the reason while the pop-up/under/what ever is a BAD idea. And
>> the reason is that it is asynchronous, so the user is getting taught
>> to respond to (possibly fake) windows request their password. This is
>> a path for disaster if we ever get remotely close to solving Bug n. 1.
> 
> Option #1: Display an icon in the notification area that nobody clicks,
> as a result security updates never get installed and system is
> compromised from the lack of important security updates.
> 
> Option #2: Pop-up the update dialog demanding attention, most users
> click to install the important updates and system is secure as system
> security updates are always applied.
> 
> Side effect of Option #2: Some users may get fooled into typing their
> password into a fake update-manager dialog inside a web page. So...what
> does a web page do with the user's password once it's obtained? Not
> much, as there shouldn't be much to do with it anyway if there is no
> malware installed on the computer. A desktop computer should _not_ be
> accessible from the Internet with a user's password.
> 
>>From a security point of vue, option #2 is a _lot_ safer.
> 
>> And, answering to Mark, yes it is much more difficult to fake an icon
>> in the system panel because the system panel. The reason is that we
>> are assuming that the system haven't been compromised yet, so there
>> isn't any malware running on the system. What Jim, and I, and others,
>> were talking about was websites spoofing the update-manager using the
>> browser and technologies like flash. In this case it is not trivial to
>> present a icon in the panel as there are only two possibilities for
>> it:
> 
> If you don't have malware installed on your computer, the damage caused
> by a random website obtaining the user's login credentials is low.

Not really. Many users run ssh on their systems. With a few tracking cookies in
place to determine what username you usually use, I'm sure that you could ssh
into a system that you have the IP of. And with the username and password, you
could use sudo to gain root on any of those systems.

Let us also not forget that many regular users don't keep their password very
closely guarded, and use the same (weak) password for many websites. Obtaining a
username and password would also mean potential access to all these other websites.

Saying that not much can be done even if usernames and passwords were given away
online does not make it any less of a security concern.

> 
> If you _do_ have malware installed on your computer, it can do anything,
> including displaying in the notification area, or simply waiting until
> the next time your user _needs_ to use his password.

The point was that it could be spoofed without malware being installed.

> 
>> 1) The panel is visible and outside the browsers' windows borders. In
>> this case the pop-up coming from the internet would need to ask the
>> browser to open a new window and position that window on the right
>> place to look like the update icon. Note that in this case the browser
>> would need a new window and, if  I remember correctly, new windows are
>> always created with the windows decorations around it. Then the fake
>> icon (with window borders around it) would be easily recognizable
> 
> The same goes with pop up windows, in order for it to appear in the
> window switcher.

Windows that are positioned in the same place as the panel will end up below the
panel, not above.

> 
>> I do believe that the system should only notify the user about
>> updates. If the updates are security updates the system could be a
>> pain (showing a notification bubble every 5 minutes if the user did
>> not apply the security updates for some days). But the user should
>> always be the one to call the update-manager window and hence trust it
>> to give his password.
>>
>> Then we could go back to common sense: if you haven't started a
>> workflow where you know that you password will be required don't give
>> your password!
> 
> This concept is completely foreign to regular users and I doubt it could
> be something that could be relied upon. "Did you _do_ something for the
> password prompt to be displayed?" is not a question most users would be
> able to answer.

And most regular users haven't the slightest inkling about secure practices,
which is what spawned this discussion in the first place.

> 
> The whole "pop-ups aren't secure" argument sounds like an attempt to use
> security as justification to revert back to the previous behaviour. The
> problem is the previous behaviour isn't secure.

In any case it is more secure than the current behaviour. And much less
obstrusive/disruptive to workflow too.

There was mention of using colour in the messaging indicator to show that there
are messages, as these stand out from monochrome icons. There is also colour
used for the battery icon to show critical levels of power. So why not this?
Let's just stick a bright red icon next to the indicators. Given that all of the
indicators will eventually be monochrome, this would be a good and consistent
way of getting user attention.

Further points:

A pop-under that does not steal focus will not get my attention until I close
all my windows, after which I may need to shut down immediately due to being in
a hurry, hence not getting security updates installed.

A pop-up that *does* steal focus will get my attention, but it will break my
workflow, and if I was a regular user who stares at the keyboard to type, I'd
have typed a whole paragraph of words into the update-manager window. Then I
would have lost work and be so annoyed with it that I'd just close it anyway,
defeating the purpose of popping up in my face. And then there would be no
further indication that I have updates, so I would just forget about it.

An *icon* in the panel that is bright red in a set of monochrome icons, will
catch my attention, and I would be able to attend to it when I am free enough
for updates.

Having the "reboot please" icon sitting around in the notification
area/application indicators area, but not this, is _inconsistent_. We might as
well just keep the "reboot now" window open, and always on top, so it always
gets in the user's face until he/she reboots.

-- 
Kind regards,
Chow Loong Jin

Attachment: signature.asc
Description: OpenPGP digital signature