You cannot ask users to manage their own security

January 10, 2009

I've been dancing around this issue recently, but it's time to come out and say it explicitly: if you want things to actually be secure, you cannot ask users to manage their own security.

In practice, users are not interested in security (well, not much) and are not going to do it, and the rare ones that are interested and do care almost certainly don't know enough to make sensible choices. What you get if you make users manage their own security is more or less what you'd get if you made home owners do their own electrical work: quite a few houses would burn down and many more would have horrifying electrical wiring that would provide fodder for home renovators for years.

So, to continue the analogy, if you want the houses not to burn down either the houses have to be pre-wired correctly or there has to be a skilled electrician around to handle the wiring work. Since most users are on their own, the systems we build for them shouldn't need any management to be secure; they need to start out secure and stay that way by default, without users having to make the right decisions.

(This doesn't mean that you shouldn't offer users options; down that road lies Firefix 3's approach to SSL or worse. And hopefully it goes without saying that your systems need to work well to start with, as security that gets in the way is in practice no security at all.)

Written on 10 January 2009.
« A Unix shell glob trick
The problems I see with multi-signed SSL in practice »

Page tools: View Source.
Search:
Login: Password:

Last modified: Sat Jan 10 03:36:00 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.