[sldev] Re: Viewer Auth Feedback

[Argent Stonecutter]

On 02-Oct-2007, at 09:38, Nicholaz Beresford wrote:
> Only if you can't use the password (the one which you gave the viewer)
> to reconfigure these options.  If 3rd party viewer security is the  
> goal,
> the only way to enforce that, is (like everything these days) server
> side by not allowing the viewer to do specific things.

Since, for most people, the viewer is more secure than the web  
browser... this would lead to an overall reduction in security.

That's something I can't emphasize enough. For most people, the web  
browser is far more likely to be compromised than the viewer, whether  
they're using a third-party viewer or not. And with XSS the browser  
can be compromised without the browser sandbox being breached.

For example... I'm glad I use POP for most of my gmail reading, so  
I'm usually not logged in to google.

THIS is one (of many) reasons I don't want to use the same identity  
on multiple sites, regardless of whether I authenticate by a  
password, certificate, OpenID, or magic wand.