Changes between Initial Version and Version 1 of Ticket #25658, comment 37


Ignore:
Timestamp:
Oct 26, 2018, 3:57:55 PM (7 months ago)
Author:
arthuredelstein
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #25658, comment 37

    initial v1  
    44We have discussed this issue previously, but I wanted to try laying it out in more detail and see if that helps to clarify the different approaches. :)
    55
    6 We already have a "Safest" setting that maximizes security guarantees. I agree we shouldn't lower those guarantees. We also have a "Safe" (Low) setting which maximizes usability and already has the lowest possible security guarantees. That probably shouldn't change for now.
     6We already have a "Safest" setting that maximizes security guarantees. I agree we shouldn't lower those guarantees. We also have a "Standard" (Low) setting which maximizes usability and already has the lowest possible security guarantees. That probably shouldn't change for now.
    77
    8 So the question is: what should the "Safer" (Medium) level be? Given that the three levels are implementing a tradeoff between security and website usability, I think we should be willing to consider any Pareto-optimal choice, even if it reduces security somewhat. What is important is that the "Safer" level is sufficiently distinct from both "Safest" and "Safe" so that it is worthwhile to make it available.
     8So the question is: what should the "Safer" (Medium) level be? Given that the three levels are implementing a tradeoff between security and website usability, I think we should be willing to consider any Pareto-optimal choice, even if it reduces security somewhat. What is important is that the "Safer" level is sufficiently distinct from both "Safest" and "Standard" so that it is worthwhile to make it available.
    99
    1010Let's compare two possible "Safer" (Medium) Security designs:
     
    2929The next question: which of the two threats are dominant in a real user's threat model? I think there are different categories of users:
    3030
    31 (I) '''Users who are unconcerned about threats or unable to handle broken websites.''' For these users, "Safe" (Low) security is the (default) choice.
     31(I) '''Users who are unconcerned about threats or unable to handle broken websites.''' For these users, "Standard" (Low) security is the (default) choice.
    3232(II) '''Users who only visit "trustworthy" sites.''' (I define "trustworthy" as websites the user expects will not send malicious code.) For these users, Threat (A) is the dominant threat and in this case, "Safer" security seems appropriate, and Design (2) is better.
    3333(III) '''Users who visit "untrustworthy" sites.''' For these users, Threat (B) can be the dominant threat. (But Threat (A) still exists for these users to the same extent as for Category (II) users. The total risk of being exploited is higher.) Assuming they are using the "Safer" level, these users may prefer Design (1), at least for HTTPS.
     
    4444
    4545To sum up, my feeling is that "Safer" level with Design (2) offers better security and better usability to users who habitually visit "trustworthy" sites only. And the "Safest" level already provides the comprehensive protections needed for high-risk users who visit "untrustworthy" sites.
     46
     47'''Edit:''' Corrected my references to the lowest safety level to "Standard".