Comments on: Making a usable security dialog

By: DaVince

DaVince — Tue, 25 Aug 2009 02:31:12 +0000

Haha, when you started drawing up dialogs, the last one you made was the first one to pop up in my mind as the best way to do it. It’s good that you’re thinking about this sort of thing.

By: JanC

JanC — Fri, 29 May 2009 01:04:51 +0000

I don’t know what you people have or haven’t done, but running Windows-programs with a “double-click” has been working for me forever after installing Wine…

Do you have binfmt-support installed?

By: Milan Bouchet-Valat

Milan Bouchet-Valat — Sun, 24 May 2009 20:49:57 +0000

Very interesting! I don’t believe users will get too used to this dialog, since we’re on Linux: Windows programs should not be installed all the time. I think it’s absolutely required because else Wine would expose Ubuntu to Windows viruses, which is really ridiculous. I’d even go farther than you, and remove the checkbox: the dialog will be shown only once per app, so that’s not too much with regard to the security you gain. And keeping this kind of checkbox really says the user: “I’m a useless dialog, please untick the box!”

Maybe you could rephrase the message to say: “It’s the first time you start the Windows program XXXX. Do you want to give it the permissions to run?” Explaining why you ask (it’s the first time) maybe make it a little more legitimate.

And you must know that since 2.26 running a .desktop file that has no x bit set prompts a dialog too. I think you should harmonize the designs, only changing the type of the program, and that would help for all executables around here. good luck!

By: YokoZar

YokoZar — Fri, 22 May 2009 20:15:07 +0000

Regarding clamav integration: It’s a bit of work, but it’s something I could do if I had a bit of time. Getting the UI and configuration right requires some real design too.

By: YokoZar

YokoZar — Fri, 22 May 2009 20:11:30 +0000

If I designed this thing, there wouldn’t be a dialog at all. It would just work. That’s how it was in 8.04, until archive manager broke things in 8.10 and 9.04.

However, I think we can minimize users learning to ignore the dialog by minimizing the amount of times they see it. If you download the .exe in firefox, for instance, we can have Firefox do the same thing it does in Windows when you download an executable, and if the user clicks through that, then firefox can mark it +x for them.

Wine is also already configured to mark +x any executable that it creates itself. So when you run foo-installer, get through the dialog, and then you try to run foo itself, you won’t see the dialog a second time.

JohnCC: shared-mime-info should be able to tell apart mono binaries and win32 binaries.

By: JohnnyG

JohnnyG — Fri, 22 May 2009 19:08:40 +0000

I don’t have a good answer to this, but checkboxes like this one are not ideal as far as I’m concerned.

First off, in this case it is easy to accidentally uncheck, then launch the app + from then on things will launch no questions asked. So for me the check box needs some confirmation behind, to confirm you really did mean to change the value.

The other thing that bugs me about dialogs like this is that once you have switched them off it is rarely obvious how to switch them on again. This is the bit I don’t have a good answer too.

Finally, agree with Joseph Booker, dialogs like this really don’t help a lot. If the user encounters the thing often enough they get used to clicking without thinking. If they aren’t encountering the dialog often, then it is useful, but then in that case it is a rare enough event that a bit of extra trouble to run the app is probably not a big deal.

By: Andy

Andy — Fri, 22 May 2009 15:31:40 +0000

Just a thought – would it be worth trying to change the behavior so wine doesn’t launch programs without the execute bit set, and if you try, this dialog lets you either cancel, or set the execute bit, and run (so then you won’t ever be asked again for this particular application)?

You would need to go through a similar process to what you just did here to know how to word it right, but it seems to be a slightly better fit for the unix style permissions.

By: Joseph Booker

Joseph Booker — Fri, 22 May 2009 13:44:29 +0000

How is this any different from the old ‘You are not going from a secure page to an unsecure web page. Are you sure you want to continue?’ which *every* user gets trained to ignore (or uncheck the ‘warn me next time’).

Even files that are not expected to be executables will not be helped by this if the user is trained to press the launch button by habit, especially if they don’t even care to read what the dialog is saying to begin with.

Is making programs say “DANGER! If you do this, I didn’t tell you to, even though you need to in order to to use the programs you want, you can’t blame me if things go bad” really good usability?

I mean, if malware is a problem, why not have wine depend on clamav and have the gui launchers run a scan? or show a warning if the file matches /\.[a-z]*\.exe/i ?

By: JohnCC

JohnCC — Fri, 22 May 2009 09:58:31 +0000

How will you cope with the fact the Mono binaries share the same .exe suffix? Can file tell them apart with magic numbers and make sure the shell does the right thing? What about the fact that a user may have .Net binaries installed in Wine and want to use those to run Mono binaries by default? What currently happens if you double-click a Mono binary (I believe mono is installed as standard now).

By: Peteris Krisjanis

Peteris Krisjanis — Fri, 22 May 2009 07:54:33 +0000

I kinda like it, it sounds reasonable, not too frightening (getting rid of warning sign was clearly a clever step), and you could actually manage for casual user to read it.