Err—this time to the entire list:
chasd wrote:
On Dec 15, 2007, at 8:14 PM, Hraban Luyat wrote:
While things like locking your car is common sense, logging out, unfortunately, is not, for most people.
Just because many people don't do it doens't make it not common
sense. it makes it an education issue. I always take any opportunity to educate people, such as this mail list.Of course, in a world where everybody fully (or even just a little) understands on-line security, this is not a big deal.
That is something everyone needs to strive for to make the world a
better place.Might I add that it is not unheard of for people to actually forget to lock their car?
True, and people have locked their car when they didn't want to. Neither makes a case for ignoring the general rule of locking your car.
P.S.: According to most Canadians, an unlocked house is actually not "predestined to get compromised" ;)
There are other places other than Canada where that is true, and I
have lived in a few. There are some places where one lock is not considered enough, and /
or you pay someone to guard the door ( NYC ).Charles Dostale System Admin - Silver Oaks Communications http://www.silveroaks.com/ 824 17th Street, Moline IL 61265
List info: http://lists.roundcube.net/users/
Changing the world by re-educating everybody on no matter which topic is a very noble thing and I applaud you for doing it. There is, however, a time and a place for everything, and this webmail client is not the place, as far as I can see. Teaching people about the importance of security is good but building a good and secure webmail client is more important here. Providing the tools is not enough; how they will be used is just as important.
If you make a car that has a special knob somewhere below the driver's seat that you need to push to make the lock actually work and people do not know this, the car is not safe. No matter how tough it is to open it when the button is pushed; if people are not aware of it and thus not doing it, it's worth just as much as an unlocked car. While the car manufacturer can claim "but a car is only /really/ safe when this is done", and while car experts may all know and do this, the majority of the population knows little more about car security than just getting out and turning the lock.
Now, there are two options; take the opportunity to tell everybody how actually this system should be used or fix it so it works like everybody expects it to. Pros and cons of the first solution: it's safer than the other solution but it's more tedious to do, thus less people will buy your car (which means less profit). Second solution: no hassle for the customers but it's not as safe.
Back to roundcube; if you want to use roundcube to educate people about clicking "log out" instead of just closing the browser, that is a subject up for debate. While I personally support the practice of mentioning this to the user, I believe it is too harsh a method to just leave their session out in the open if they do not log out. I predict that in the end this will do nothing more than scare people into not using roundcube (and I would probably remove roundcube from the systems I adminster to prevent my users from this if it is decided not to be fixed). My opinion, though, is just one amongst many. I would like to hear what others have to say.
Cheers,
Hraban Luyat
PS: While the car metaphor referred to a car being "less safe" when locked regularly, making session cookies time out when you close the browser is actually exactly the same as making people log out.
List info: http://lists.roundcube.net/users/