A short post about permissions in web applications – day 3
When I was younger I downloaded extensions without thinking much. Mostly extensions for Firefox.
As I got older and interested in security I've become a lot more careful. I know I'm not completely safe against malware, but then again I don't wear a hazmat suit at work either.
I've found some reasonable heuristics that have worked well for me and I should probably write a bit more about that some other time – possibly along with some ideas for truly paranoid organizations, but today I want to write about some wishes I have:
for all apps and extensions and whatnot: if we could somehow make sure they cannot get data off my computer that would go a long way. Note however that solving this problem in a truly general way will be hard.
for web applications: someone should sit down and think really hard about the granularity of the permissions they expose. For example, last I checked with a certain SAAS company my ssh keys worked for all projects I have access to while I want them to work on per project basis. Same goes for the way I had to allow a certain build system access to access all my projects to use it with one of them. Or how a small crowdfunding solution for software wants read access to more or less everything just to allow me to log in to send money to another project.
And a day has passed since last I wrote. But it doesn't matter according to the rules.