Untrusted software and security click-through warnings

Ian Jackson iwj at ubuntu.com
Fri Sep 28 15:56:31 BST 2007 

We had an IRC discussion during the Desktop Team Meeting on
#ubuntu-devel about apt+http://foo.bar?package=baz (which might add
new repositories such as PPAs).  This turned into a long discussion of
the merits of various security considerations and convenience
tradeoffs.  I said I'd post here about it.  What follows is very much
my personal view but I think the conclusions are inevitable.


Firstly, I would assert that we are largely responsible for the
security of Ubuntu users' systems:

We cannot assume that our users are sufficiently knowledgeable and
experienced to know what is and is not an acceptable risk to take.  We
must ensure that naive users following the obvious path to get their
work done are not led into error.


Secondly, click-through "get this task done" security warnings are
harmful:

It is well established through research (and I'm sure through the
personal experience of most of us here) that systems which pop up
dialogues which essentially ask the user "so do you actually want to
do what you just asked me to" are useless.  The user will almost
inevitably just say "yes" without reading any of the text.

It has been argued in the past that these dialogues are useful to
some power users, who know what they really mean.  Perhaps this is
so.  However, the point of Ubuntu is to make computing accessible to
everyone - not just experts.  And a computer which leads a user astray
is not accessible to that user.

Therefore these dialogues should be abolished.  In cases where the
dialogue is there to ask the user to permit a dangerous operation, the
system should be reworked so that either
 1. the operation is made less dangerous (so that it can be safely
    done without prompting), or so that
 2. the operation can only be requested by much more explicit action
    by the user (not by some third party!) so that no further
    confirmation is needed.


Thirdly, the Internet is full of malicious people who would like to
install software on our users' computers.

This is less true now than it will be in (say) 5 years' time.  The
main thing which is holding back the deployment of malware against our
users is that we are not currently as juicy a target as M$'s systems.
When Ubuntu is as popular as Windows, our users will have many of the
same problems that Windows users do now.

The reason for this is that we have been inheriting (sometimes via
third parties) the idea that it is acceptable to go to a website, find
you need to install some software to use it, and then install that
software provided by that website - and the idea that it is a sensible
thing for a user to look for zero-cost software via a search engine
and then just install it.

All of us experts here know that this isn't a good way to proceed.
But our users don't.  For these reasons, it is up to us to do better.


Conclusion: Ubuntu systems should not provide a smooth `click through'
route to the installation of untrustworthy software.

Untrustworthy software includes all software which we don't have some
reason to trust.  This means:

 * No click-through installation of downloaded .debs
 * No click-through addition of arbitrary apt repositories or keys
 * No click-through installation of arbitrary browser plugins
 * No click-through addition of PPAs without further policy controls

What _is_ OK is:

 * Yes, click-through installation of .debs already in Ubuntu
 * Yes, click-through installation of browser plugins provided in Ubuntu
 * Yes, click-through installation of media codecs provided in Ubuntu
 * Yes, click-through addition of PPAs whose uploaders we bless
    and for which someone will provide security support

There should be some kind of click-through here because installing
software is a significant step: it consumes time and bandwidth and may
make the system less stable.  We need to keep the user informed so
they know what they're waiting for and give them the opportunity not
to have their work interrupted by the download and installation
process.  Note that the click through serves the user's convenience,
not their security.


What might also be OK is selectively permitting the installation of
software from third parties that we have the right kind of
relationship with.  We would have to think about what the criteria
might be, but here is a starting point:

 * The third party would have to agree in a legally binding way to
   uphold and not subvert the user's rights on their own computer;
 * The third party would have to commit to provide security updates,
   where necessary, within a defined timeframe.
 * The list of approved third parties should be provided by Ubuntu and
   programmatically enforced by the software;
 * We should be able (both contractually and technically) to
   withdraw/revoke such a third party permission if they turn out
   in our opinion not to take our users security and privacy
   seriously;
 * We should think carefully about the user interface for enabling a
   particular third party, which ought to be an explicit step;
 * We should consider the position of users who have already approved
   a particular third pary source which we have revoked -
   specifically, we should consider what actions of ours would be in
   the best interests of those users.


What is of course also necessary is an ability for power users to
specify additional third-parties without any blessing from Ubuntu.
However *this facility must not to be accessible to naive users*.

In particular, it *must not be possible* for a third party to invoke
such a UI via eg a website, incoming email, video file, or whatever.


We can't stop third parties writing on their website

  "Now go to   Settings / Advanced / Trusted Software Sources
   and select   Add Absolute URL
   and paste in   http://malware.example.com/ubuntu/
   say `confirm' to the security warning and enter your pasword"

or

  "Select  Applications / Accessories / Terminal
   In the window type
     sudo apt-add-untrusted-repository --force-security-override http://malware.example.com/ubuntu/
   and type in your password when prompted."

but even a naive user can be expected to smell a rat there.

On the other hand if the third party can say

  "Your browser does not support Frobnication.
   [Click here] to install it"

the user will click and probably say yes to the confirmation question
and enter their password when prompted.  So we have to prevent that.


I realise that this may involve changes to some of our existing
software, which doesn't always adhere to the principles above, and it
will cause some pain.  I'm sure it will cause howls from those power
users who are wedded to their favourite firefox extensions and feel
that all users should have an easy route to installing them.

But the alternative is that in 5 years' time our users' systems will
be malware-infested nightmares.

Or to put it another way: the point of Ubuntu is to give users control
over their own computers - that is, Freedom.  Our job includes
defending that control against those who would risk it in the name of
temporary convenience.


Thanks for your attention.

Ian.

More information about the ubuntu-devel mailing list