Chris Muller wrote:
So lately I'm thinking this attempt to eat my cake and have it too is fruitless. Either the user will have to be somewhat aware of security or there should probably be no security. I need to choose a more definitive philosophy:
always on? default on, allow turning it off? default off, allow turning it on?
My preference: "default on, allow turning it off".
I'm quite happy to have security be a little bothersome (nothing costs nothing, right?). I use ssh and https extensively, and find them both quite usable once they're set up correctly. ssh is extremely easy to set up; https is quite tricky (because of the fact that certificates are signed by an external CA, which requires a CSR, and so on).
The best way to mitigate user-frustration is to have the process be as simple as possible but no simpler, have great documentation available on the web, and make the system as easy to fault-find as possible.
Also, the fact that there are several extra steps required to activate the security features gives it an aura of "we are serious about this stuff" :>
Bruce Schneier would probably dismiss this as "security theatre", but my experience is that
- if it is totally easy to turn on security, then people still mess it up. - if it is totally impossible to turn on security, no one uses it. - if is is slightly hard, people use their brains when setting it up.
Andrew