from http://sid.toolness.org/ch13yee.pdf:
As Diana Smetters and Rebecca Grinter have suggested,2 security goals should be closely integrated with the workflow of the main task to yield implicit security. Extracting information about security expectations from the user’s normal interactions with the interface enables us to minimize or eliminate the need for secondary security tasks.
Another comment from same source:
User interfaces also aggregate actions: downloading a web page requires many steps in the implementation, but for the user it’s a single click. Interface design requires decisions about which distinctions to expose and hide. Exposing pointless distinctions generates work and confusion for the user; hiding meaningful distinctions forces users to take unnecessary risks.
On a Mac, for example, an application is shown as a single icon even though, at the system level, that icon represents a set of folders containing all the application’s files. The user can install or remove the application by manipulating just that one icon. The user doesn’t have to deal with the individual files, or risk separating the files by mistake. This design decision simplifies the user’s experience by hiding distinctions that don’t matter at the user level.
On the other hand, the security controls for web page scripts in Mozilla neglect to make important distinctions. Mozilla provides a way for signed scripts to gain special privileges,8 but the only option for file access is a setting that grants access to all files. When the user is asked whether to grant that permission, there is no way to control which files the script is allowed to access. The lack of a boundary here forces the user to gamble the entire disk just to access one file.
assume least privilege (or privilege of caller?)
from http://sid.toolness.org/ch13yee.pdf: As Diana Smetters and Rebecca Grinter have suggested,2 security goals should be closely integrated with the workflow of the main task to yield implicit security. Extracting information about security expectations from the user’s normal interactions with the interface enables us to minimize or eliminate the need for secondary security tasks.
Another comment from same source:
User interfaces also aggregate actions: downloading a web page requires many steps in the implementation, but for the user it’s a single click. Interface design requires decisions about which distinctions to expose and hide. Exposing pointless distinctions generates work and confusion for the user; hiding meaningful distinctions forces users to take unnecessary risks.
On a Mac, for example, an application is shown as a single icon even though, at the system level, that icon represents a set of folders containing all the application’s files. The user can install or remove the application by manipulating just that one icon. The user doesn’t have to deal with the individual files, or risk separating the files by mistake. This design decision simplifies the user’s experience by hiding distinctions that don’t matter at the user level.
On the other hand, the security controls for web page scripts in Mozilla neglect to make important distinctions. Mozilla provides a way for signed scripts to gain special privileges,8 but the only option for file access is a setting that grants access to all files. When the user is asked whether to grant that permission, there is no way to control which files the script is allowed to access. The lack of a boundary here forces the user to gamble the entire disk just to access one file.