[sldev] Re: Viewer Auth Feedback
Argent Stonecutter
secret.argent at gmail.com
Tue Oct 2 08:42:23 PDT 2007
On 02-Oct-2007, at 09:38, Nicholaz Beresford wrote:
> Only if you can't use the password (the one which you gave the viewer)
> to reconfigure these options. If 3rd party viewer security is the
> goal,
> the only way to enforce that, is (like everything these days) server
> side by not allowing the viewer to do specific things.
Since, for most people, the viewer is more secure than the web
browser... this would lead to an overall reduction in security.
That's something I can't emphasize enough. For most people, the web
browser is far more likely to be compromised than the viewer, whether
they're using a third-party viewer or not. And with XSS the browser
can be compromised without the browser sandbox being breached.
For example... I'm glad I use POP for most of my gmail reading, so
I'm usually not logged in to google.
THIS is one (of many) reasons I don't want to use the same identity
on multiple sites, regardless of whether I authenticate by a
password, certificate, OpenID, or magic wand.
More information about the SLDev
mailing list