On Thu, Nov 19, 2009 at 10:08 PM, Marcin Hanclik < Marcin.Hanclik@access-company.com> wrote: > The default settings within a browser could e.g. disable directory walking > and file writing. But if the user changes the settings (and is warned about > the potential security risks when switching some protection off), then it is > up to the user and she/he takes over the responsibility. > This model generally does not work on the Web. Few users understand settings or potential security risks and even fewer care. Lots of studies have shown this (e.g. see http://groups.csail.mit.edu/uid/projects/phishing/chi-security-toolbar.pdf). Forcing users to make decisions they do not want to make or cannot make is a failure. The abstraction of the security concerns within a policy may allow > delegation of the security to some third parties. > There are usually no third parties to delegate to. If you're mainly concerned with intranet applications, you might be able to delegate to corporate administrators, but you probably want to avoid that too. Rob -- "He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]
Received on Thursday, 19 November 2009 09:40:32 UTC