[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ::scr Internet Explorer - Danger in numbers?



On Wed, 6 Mar 2002, Simon Wistow wrote:
>The big problem, in my opinion, is that they put usability before
>security.

There's a big difference between having lots of features and having
usability.

I'd say that MS' obsession is with featureful-ness. That can be as harmful
to usability as it is to security. Putting the ability to do something the
user doesn't need in means you have higher complexity and more places for
bugs to slip through. You also have to expose the extra functionality in the
interface somewhere, so more than likely the user gets to pick between it
and what they really want at the time somewhere.

Of course knowing that doesn't help you know what the user needs to do.

You might be able to hide the extra complexity with the right structure, but
an overcooked generic mechanism for doing stuff can bite you too. Word 97's
'Application.Options.VirusProtection = false' in a macro virus, for
instance.

Many of the latest IE misfeatures wouldn't be there if those kind folk from
Redmond hadn't been embrace and extending quite so much, and clobbering
together different scopes (local, internet, wherever) without quite ever
/removing/ the functionality where it is configured out, so the odd slip
lets you ignore the settings (numerous times with ActiveX controls and
whatnot).

This is all coming out like an anti-Windows, anti-Microsoft rant. That isn't
especially my intention, and I'm sure I'll be flailing at others sometime
soon.

In short if you keep the complexity down, then you have a better shot at
explaining it to the user, and a far better chance that you'll be able to
keep your eye on what the hell you are doing. Of course code that fits
entirely in some smart coder's head doesn't often solve the grand plans we
have. A lot of the rest of software engineering seems to geared around
not throwing everything you had away when you go past that limit.

-- 
ash
a-k
... The real world is a special case.