[cap-talk] Security considerations for cookies

Sandro Magi naasking at higherlogics.com
Tue Feb 23 12:10:14 PST 2010 

This exact argument applies to the Petname Toolbar, so if you're
suggesting this anti-spoofing scheme would fail, then so would petnames.

If the user is suddenly presented with a theme/icon that is completely
different, the initial shock will be sufficient to make them look twice
and question what's going on. They will then notice that none of their
e-mails are there, or their folders don't look right, etc.

In order to be explicit about what action should be taken, you can also
display a prominent message with a link, "Not your account/Something
doesn't look right? Sign out here."

Sandro

On 23/02/2010 2:37 PM, Toby Murray wrote:
> Sorry, I thought you were implying that GMail already implements this.
> 
> I'm still not convinced that even I would be protected by this system
> however.
> Were I presented with the wrong scheme, I might well just assume Google
> was buggy.
> 
> You're asking users to make a mental judgement ("I might be under
> attack") which they are loathe to do. Who wants to believe they might be
> under attack when it's much easier to believe GMail is buggy?
> 
> Just as secure systems need to be designed so that "the most secure way
> for this system to be used, is also the easiest and most natural way to
> use it" they also need to be designed so that "the mental model for the
> user to adopt that yields the interactions with the system that keep the
> user most secure, is also the easiest and most natural for them to
> adopt", with "easy" there interpreted to include "requires the user to
> make the least number of uncomfortable assumptions, or adopt the least
> number of beliefs that lead to uncomfortable conclusions".
> 
> Only real fear makes people adopt uncomfortable beliefs (c.f. terrorism
> hype). Without proper fear, people naturally choose beliefs and
> assumptions that produce less discomfort (c.f. climate change denial). 
> 
> It follows that any system that requires the user to consciously
> acknowledge the fact that they might be under attack, in order for it to
> be secure, is sub optimal.
> 
> Cheers
> 
> Toby
> 
> 
> 
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list