IE KIOSK Mode: Fighting for a feature I love

Jeremy W. wrote:

Shining Arcanine wrote: By the way, this isn't a feature, it is a security risk. This thread should be called: "IE KIOSK Mode: Fighting for a security risk I love"

It's a feature as soon as someone uses it as such.

I consider it a risk as it is absurdly easy to trick someone to give away private information.

..guys.. (gals?) i really am just stating:  i love fullscreen - feature / BUG haha whatever it is.

it does not deserve to be AXED.

And for all the OSS pros out there, the removal of fullscreen = less FREEDOM within the win interface..  use it or not - like it or not - at least shout out on the removal: FREEDOM grab

Not that there is a conspiracy.. they wanted to  lock stuff down tight - and they did. but maybe...just maybe..they did not leave enough time to think out how to retain an important feature.. ( to some

hope someones at least questioning...

if its gone...its gone  oh well

BTW: SA / Manip:  you guys no a good mozilla programer that could re-write the "old" way into a custom FireFox? lol

Shining Arcanine wrote:

Jeremy W. wrote: Shining Arcanine wrote: By the way, this isn't a feature, it is a security risk. This thread should be called: "IE KIOSK Mode: Fighting for a security risk I love" It's a feature as soon as someone uses it as such.

I consider it a risk as it is absurdly easy to trick someone to give away private information.

Repeating what I said earlier: are you saying there is NO way to make fullscreen webapps that are insecure? If MS can solve the millions of problems they solve every year, you don't think they can make a secure fullscreen system? Sounds dodgy to me.

I realise they have to choose what features get ported, but I'm with Jamie, just becuase it isn't implemented properly, doesn't mean it isn't a feature that should be protected.

If we let people make fullscreen webapps, it is trivially easy for them to also make phishing webapps. There is no way around this - you have to make it "not quite fullscreen" and include some permanent visual element. 

Jamie is complaining that permanent visual elements are ugly. Well, yes. That's the whole point. People notice them, and realize that they're not actually logging in to their Citibank account

I realise that. I'm just not convinced that there isn't a way around it. I just can't believe that ActiveX can be made 'secure' through user-input, and a full-screen mode can't.

I mean, worst case, prompt for it, you know what I mean? I'm sorry, but we have 4 apps here in our hospital that are web-based and use full-screen mode: auto-patient triage, 2 thin-client apps and a reporting app in cardiology.

I understand the issue with phising, that's not something I've argued this whole thread, I just don't think the feature needs to be eliminated in order for the web experience to be secure. There are always options.

But you can still make "almost fullscreen" right? So it's basicly an aesthetic problem?

/Lars.

Uh, no, if 'almost fullscreen' allows users to click on stuff, then it might as well not be 'almost fullscreen' at all. The point of going into fullscreen mode is taht all of the options users have are presented to them, and nothing else.

I realise this is the thing with phishing too, but this is a legitimate usage. One where we have no problem with popups / confirmations / warnings, because we'd just do that before deploying it to the user. If the user can go to non-fullscreen mode, click the start button, etc, it shoots the whole concept in the foot.

edit: sorry, that was more flippant than I meant it to be. From my perspective there is no reason that any security concerns couldn't be bypassed by letting the user know some simple facts:

- current website address
- if this is a 'signed' fullscreen page (c'mon, if we can make ActiveX 'secure', surely we can make a fullscreen webpage secure)
- if it's an 'unsigned' fullscreen page, popup the warning every [x] minutes/seconds

I dunno, I guess this just seems like an awareness / training issue to me, and removing what is a feature doesn't seem like the best course of action (to me). I'm not saying you guys are wrong about the security risks, I just don't agree with the ultimate decision.

Jeremy W. wrote:

I realise this is the thing with phishing too, but this is a legitimate usage. One where we have no problem with popups / confirmations / warnings, because we'd just do that before deploying it to the user. If the user can go to non-fullscreen mode, click the start button, etc, it shoots the whole concept in the foot.

In that case, you need a native app or HTA, not a normal web page / browser expirience.

No I don't. The feature is currently available. The cost to pay an app developer is 3 times what it is to pay a web developer. Why should I have to worry about all the language issues when an HTML page with a slight backend is more than enough?

Nobody has answered me on why a simple dialog wouldn't suffice to deal with the phishing threat. ActiveX controls could literally fry a computer, but it's enough in that case.

Maybe I'm off base, but I just don't see the difference. If protection can be there for something that can fry your computer, but not for something like fullscreen mode it just seems odd.

Jeremy W. wrote:

Nobody has answered me on why a simple dialog wouldn't suffice to deal with the phishing threat. ActiveX controls could literally fry a computer, but it's enough in that case.

I'm going to take a stab at this, but frankly I don't have a great answer. 

Let's say you have a IE popup that says "Click OK if you want to switch to full-screen".  Now, assume that a popular website wants to go fullscreen (like your hospital apps).  It would be annoying from a user point of view to have to click OK everytime that website was navigated to.  I suppose IE could include a whitelist feature for OK'ed sites, but considering how long its taken IE to get a popup blocker, I imagine there wasn't enough time for such an effort.

Considering the number of people who install any random software on their machine, its not surprising that MS would make an extra effort to prevent this kind of measure.  I strongly believe that there are people who will happily click "OK" on whatever dialog comes up to get to Foo.com, because their buddy said to check it out.

Of course, that kinda shoots down my own native app / HTA argument, doesn't it?

See, the thing is that most legitimate uses of fullscreen are in an app setting. Sure, some web designers like jamie (no offence Jamie, I'll get to this in a second) use it for general purpose websites. For us, though, it's quite critical to these apps.

If a user had to click "OK" every time they navigated to the page which launched into fullscreen mode, that would be perfectly fine for us. Why? Because a user would never do it. IT folk would when we setup the kiosk / thin-client interface.

Also, I'm not sure that a "always trust site [x]" would be that difficult. Again, it was possible with ActiveX, right?

I'm really not trying to push too hard on this, I just don't see this as an insurmountable problem, and when I know of at least 5,000 end users who would be affected by this, just in our regional health authority, I know that there are others who would be as well.

To me, this just isn't as simple as "well, there's phishing, so we can't allow fullscreen mode".

Unfortunately I think that Microsoft has learned from email attachments that user education just isn't enough. You can tell people not to do it till they're blue in the face, and a significant fraction of them will still open dangerous attachments - or, equivalently, click OK to allow a phishing site to go full-screen.

Your point about trusted sites is a good one, though. And another question - has your hospital tried their web apps under XP SP2 yet? Does it break them?

We haven't done any upgrading to XP SP2. Hell, we're not getting off 95 until the end of the year and 98 until next summer. It'll be a while before we get to SP2.

In fact, we only have 50 XP machines (compared to 1200 2000 machines). Most of those are in C&IS (Communications and Information Services: IT and Phones). I doubt we'll actually make a move to XP. Based on Longhorn's timeline, I expect we'll be recommending an upgrade to that in late 2007, early 2008 (give or take). Mainly depending on when 2000 support runs out.

Jeremy W. wrote:

Repeating what I said earlier: are you saying there is NO way to make fullscreen webapps that are insecure? If MS can solve the millions of problems they solve every year, you don't think they can make a secure fullscreen system? Sounds dodgy to me.

ActiveX, which has to be made by the web developer.

Jeremy W. wrote:

I realise that. I'm just not convinced that there isn't a way around it. I just can't believe that ActiveX can be made 'secure' through user-input, and a full-screen mode can't.

I mean, worst case, prompt for it, you know what I mean? I'm sorry, but we have 4 apps here in our hospital that are web-based and use full-screen mode: auto-patient triage, 2 thin-client apps and a reporting app in cardiology.

I understand the issue with phising, that's not something I've argued this whole thread, I just don't think the feature needs to be eliminated in order for the web experience to be secure. There are always options.

Full screen is something that SHOULD NEVER be utilizable by webpages. If you want to create an internet application that takes over the entire screen, you already said what you need to use... ActiveX. Now stop complaining about something that makes the world a better place.

Jeremy W. wrote:

See, the thing is that most legitimate uses of fullscreen are in an app setting. Sure, some web designers like jamie (no offence Jamie, I'll get to this in a second) use it for general purpose websites. For us, though, it's quite critical to these apps.

If it is needed in an application setting, why don't you learn .NET and code one?

Re: Learn .NET and code one

Jeremy W. said it best:
" The cost to pay an app developer is 3 times what it is to pay a web developer. Why should I have to worry about all the language issues when an HTML page with a slight backend is more than enough?"

Look at it this way Jamie; this is your chance to tripple your income!

Won't XAML give you the best of both worlds - declaring an application GUI using XML based markup?

/Lars.

jamie wrote:

Re: Learn .NET and code one

Jeremy W. said it best:
" The cost to pay an app developer is 3 times what it is to pay a web developer. Why should I have to worry about all the language issues when an HTML page with a slight backend is more than enough?"

It never was supposed to be possible and never should have been. Microsoft should have been sued for implementing the capability.

Except that, at the time, NS also allowed it. You can argue that it's a security risk all you like, and I'll agree with you. I'm not entirely sure how you'd propose that I create a fullscreen ActiveX application inside IE, if IE can't be fullscreen though.

I'm quite comfortable developing apps, but the fact of the matter is that there ARE legitimate uses for thise outside of applications, and outside of phishing.

Abuse doens't mean a feature is bad.

I'm also unsure why you feel this was "never supposed to be possible". You'll need to fill me in on this one.