Re: Allow ... centralized dialog up front from Robin Berjon on 2013-02-06 (public-webapps@w3.org from January to March 2013)

From: Robin Berjon <robin@w3.org>
Date: Wed, 06 Feb 2013 12:03:19 +0100
To: Keean Schupke <keean@fry-it.com>
CC: Charles Pritchard <chuck@jumis.com>, Adrienne Porter Felt <adriennefelt@gmail.com>, Tobie Langel <tobie@fb.com>, Arthur Barstow <art.barstow@nokia.com>, Charles McCathie Nevile <chaals@yandex-team.ru>, WebApps WG <public-webapps@w3.org>, Florian Bösch <pyalot@gmail.com>
Message-ID: <51123877.4060705@w3.org>

On 06/02/2013 08:36 , Keean Schupke wrote:
> I don't think you can say either an up front dialog or popups do not
> work. There are clear examples of both working, Android and iPhone
> respectively. Each has a different set of trade-offs and is better in
> some circumstances, worse in others.

If by "working" you mean that it is technically feasible and will 
provide developers with access to features then sure.

If however you mean that it succeeds in protecting users against 
agreeing to escalate privileges to malicious applications then, no, it 
really, really does not work at all.

Security through user prompting is sweeping the problem under the rug. 
Usually this is the point at which someone will say "but we have to 
*educate* the users!". No. We don't. Users don't want to be educated, 
and they shouldn't have to be. We're producing technology for *user* 
agents. It is *our* responsibility to ensure that users remain safe, 
even in as much as possible against their own mistakes.

And I'm sorry to go all Godwin on you, but the prompting approach is the 
Java applet security model all over again. Let's just not go back there, 
shall we?

It's not as if this debate hasn't been had time and over again. See (old 
and unfinished):

http://darobin.github.com/api-design-privacy/api-design-privacy.html#privacy-enhancing-api-patterns

That includes a short discussion of why the Geolocation model is wrong. 
All of this has been extensively discussed in the DAP WG, as well as 
IIRC around the Web Notifications work. There have been a few attempts 
to work out the details (tl;dr they don't fly):

     http://w3c-test.org/dap/proposals/request-feature/
     http://dev.w3.org/2009/dap/docs/feat-perms/feat-perms.html

That's one of the reasons we have a SysApps WG today. As it happens, 
they're working on a security model, too.

This is not to say that declaring required privileges cannot be useful. 
There certainly are cases in which it can integrate into a larger 
system. But that larger system isn't upfront prompting.

-- 
Robin Berjon - http://berjon.com/ - @robinberjon

Received on Wednesday, 6 February 2013 11:03:30 UTC