security advice

[Andrew Gaylard]

Chris Muller wrote:

> So lately I'm thinking this attempt to eat my cake and have it too is
> fruitless.  Either the user will have to be somewhat aware of security or there
> should probably be no security.  I need to choose a more definitive philosophy:
> 
>   always on?
>   default on, allow turning it off?
>   default off, allow turning it on?

My preference: "default on, allow turning it off".

I'm quite happy to have security be a little bothersome
(nothing costs nothing, right?).  I use ssh and https
extensively, and find them both quite usable once they're
set up correctly.  ssh is extremely easy to set up; https
is quite tricky (because of the fact that certificates are
signed by an external CA, which requires a CSR, and so on).

The best way to mitigate user-frustration is to have the
process be as simple as possible but no simpler, have great
documentation available on the web, and make the system
as easy to fault-find as possible.

Also, the fact that there are several extra steps required
to activate the security features gives it an aura of "we
are serious about this stuff" :>

Bruce Schneier would probably dismiss this as "security theatre",
but my experience is that

- if it is totally easy to turn on security, then people still mess it up.
- if it is totally impossible to turn on security, no one uses it.
- if is is slightly hard, people use their brains when setting it up.

Andrew