Wandering Thoughts archives


You cannot ask users to manage their own security

I've been dancing around this issue recently, but it's time to come out and say it explicitly: if you want things to actually be secure, you cannot ask users to manage their own security.

In practice, users are not interested in security (well, not much) and are not going to do it, and the rare ones that are interested and do care almost certainly don't know enough to make sensible choices. What you get if you make users manage their own security is more or less what you'd get if you made home owners do their own electrical work: quite a few houses would burn down and many more would have horrifying electrical wiring that would provide fodder for home renovators for years.

So, to continue the analogy, if you want the houses not to burn down either the houses have to be pre-wired correctly or there has to be a skilled electrician around to handle the wiring work. Since most users are on their own, the systems we build for them shouldn't need any management to be secure; they need to start out secure and stay that way by default, without users having to make the right decisions.

(This doesn't mean that you shouldn't offer users options; down that road lies Firefix 3's approach to SSL or worse. And hopefully it goes without saying that your systems need to work well to start with, as security that gets in the way is in practice no security at all.)

tech/WhoManagesSecurity written at 03:36:00; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.