Re: Changing from L4 to something else...

[Bas Wijnen]

On Sat, Oct 29, 2005 at 03:36:35AM +0200, Yoshinori K. Okuji wrote:
> On Friday 28 October 2005 03:34 pm, Bas Wijnen wrote:
> > If the system is well designed, then there is no problem.  First of all, it
> > doesn't sound like a good idea to need a plugin just to set your
> > preferences. But even if it is, you don't need to give it permission to
> > write to your *entire* configuration.  If mozilla is well designed (where
> > well-designed means "using the capability system effectively", which of
> > course it doesn't), it can allow the plugin to write some configuration
> > once, but not allow it to install a proxy.
> 
> For example, look at this extension:
> 
> http://www.roundtwo.com/product/switchproxy
> 
> Whether you like it or not, this kind of extensions are very useful for some 
> people, so they will use.

Indeed.

> "Do not use such a silly plugin" is not an appropriate answer for this,
> since the purpose of a good secure framework is to allow people to use
> untrusted code such as this with no or little risk.

I agree that "you musn't want this" is a very bad solution for any problem.
:-)

However, this is quite an invasive plugin.  I think you must either trust it
and allow it to set proxies to whatever it wants, or limit it by duplicating
the list of used proxies in the configuration of the allowed outgoing network
ports for firefox.  The latter is a job that I don't expect the average user
to be able to do, except it the plugin can help there via a (trusted) user
agent.  I'm not sure how hard it would be to make a situation like this both
usable and secure (without needing to trust the plugin).

I agree with you that it can be possible that we do not go for maximum
security, if it costs too much usability (and "too much" should be very
little).  I also think that we should try hard to be secure without losing
usability.

> So, decisions must be always based on a balanced view. Otherwise, conclusions 
> would be far away from the reality.

I'm not sure what you want to balance here, but I'm a bit allergic against
"balanced views" for the sake of themselves.  In particular, I think that "it
must be balanced" is no argument at all for doing or not doing something.

I think I do agree with what you mean to say though. :-)

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://129.125.47.90/e-mail.html

signature.asc
Description: Digital signature