Untrusted software and security click-through warnings

Ian Jackson iwj at ubuntu.com
Mon Oct 15 16:31:23 UTC 2007


João Pinto writes ("Re: Untrusted software and security click-through warnings"):
>   2 - fake software, or "companion" software
...
> Case 2 can only be addressed by educating people on how to use the
> internet on a safely manner, again, typing random commands from an
> untrusted web site is a major security risk for any OS, and it is a
> very common practice for Linux users in particular

At the moment a user can unwittingly compromise their system just by
clicking on one thing on a website and then saying `yes' a few times.

What I'm suggesting is that if they want to do that they should be
required to do something a little more complicated which is more
likely to trigger an actual decisionmaking process.  Like, for
example, typing random commands they found on a webpage.

I don't know if you've seen many naive users in front of computers but
websites that ask them to type runes in when the user was trying to
get some other work done will generally cause the user to smell a rat,
in a way that something which requires them to say `next' four times
doesn't at all.

Ian.




More information about the Ubuntu-devel-discuss mailing list