Re: gnome-keyring Request for comments on security of authentication/authorisation UIs
- From: "Jasper St. Pierre" <jstpierre mecheye net>
- To: "Dodier-Lazaro, Steve" <s dodier-lazaro 12 ucl ac uk>
- Cc: "martin peres labri fr" <martin peres labri fr>, "gnome-shell-list gnome org" <gnome-shell-list gnome org>, "desktop-devel-list gnome org" <desktop-devel-list gnome org>, "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
- Subject: Re: gnome-keyring Request for comments on security of authentication/authorisation UIs
- Date: Sat, 29 Mar 2014 01:46:54 -0000
Hi Steve,
This is exactly the sort of design I love to see, and it's what I was strongly pushing for. This sort of an approach of designing APIs after use cases on a one-by-one basis is what GNOME design is about, and it makes me a lot more comfortable than a generic request/response system.
I'm not a UX designer, so I can't speak to the flow of the system you've designed, whether it fits in with our plans, or if we even want such a widget to display or provide credentials in the first place. It's simply an example, of course.
I feel like we can do this on a case-by-case basis, by looking at places where security is poor or limited (Portals, Intents, and the ability to choose user content by delegating to a system component is the most often quoted example), and designing a new solution that takes security measures into account.
Things like screen sharing are more generic and difficult. Imagine I have a program like OBS: the goal is to capture my desktop and stream it to a service like Twitch. This is a perfectly acceptable use case for screen sharing, but we don't want the user to have their screen shared when they don't want it.
A design here could be to have an indicator available to the user when an application is capturing the desktop, and when the user clicks it, they can see all the applications currently recording and have the ability to stop the recordings, flat out kill the app, or go to a more detailed settings panel to see exactly what the applications are capturing.
While this design may not be perfect, it affords what I think are the key frustrations with SELinux: it gives transparency into what the application is doing (the user will notice a red icon to mean their screen is being recorded), why it's doing it (well, if they're running OBS, then they want to stream this game), and gives them the ability to set their own policy.
At this point, I'm reminded of tef's post, asking, "What's your threat model?" [0]:
Who is attacking? How are they attacking? Will we know when somebody's attacking? Will the user know when somebody's attacking? Can we know a legitimate actions compared to an illegitimate one? Can the user know a legitimate action compared to an illegitimate one?
How much of a choice should the user be making, and how much of a choice should we make for the user? What choices can we, or the user make? What information do we expose to the user in the case of a questionable action?
How can the user stop a perceived attack? Should they stop a perceived attack? What can go wrong if the user stops a perceived attack that is a legitimate action?
We need to be asking those questions, and more, rather than talk about GtkPasswordForms and the X,Y positions of widgets. Those are just technical implementation details of how to implement a more secure design. We can crank those out in a day. The tough part is the thinking towards making a more usable, transparent, secure system in general.
[0]
http://programmingisterrible.com/post/67851666020/whats-your-threat-model
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]