Hello, I am coming back to an old subject, but with new information.
There is a huge "Won't fix" bug concerning the pop-up/under behavior of update manager since 9.04: https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/332945 Recently one of the people that insist to keep the bug alive (like me), made a dirty simple mockup of a page that would present itself as the update manager and ask for the administration password. See https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/332945/comments/456 Note that even though this mockup is very crude and can easily be recognized due to the outer browser window in the pop-up, it should raise some eye browns. Just imagine a more sophisticated page using flash to draw a windowless fake update-manager window and capture the password (can flash send information to a server?). I now truly believe that the behavior of having a administration window popping up (or under) without the explicit user request may be viewed as a possible security flaw. Naive users, once used to this behavior, can start accepting fake window that appear during browsing. It would be much easier to tell the user: never give a password unless you started a workflow where you already knew that a password would be required. This sounds like common sense. With the new update-manager we can not say that to the users anymore. I know that this is not a exactly a usability problem but it was caused by a usability decision. Shouldn't we ask some security experts in canonical at least to comment on this? best, Paulo Obs: I have sent this email before using my gmail address and it seems it did not pass through, I am resending it now using the email address that I use in launchpad. If a double post happens, please I beg your pardon. -- Paulo José da Silva e Silva Professor Associado, Dep. de Ciência da Computação (Associate Professor, Computer Science Dept.) Universidade de São Paulo - Brazil e-mail: pjssi...@ime.usp.br Web: http://www.ime.usp.br/~pjssilva -- Paulo José da Silva e Silva Professor Associado, Dep. de Ciência da Computação (Associate Professor, Computer Science Dept.) Universidade de São Paulo - Brazil e-mail: pjssi...@ime.usp.br Web: http://www.ime.usp.br/~pjssilva _______________________________________________ Mailing list: https://launchpad.net/~ayatana Post to : ayatana@lists.launchpad.net Unsubscribe : https://launchpad.net/~ayatana More help : https://help.launchpad.net/ListHelp
