Perhaps this one will be a little less controversial than my previous post!

When I review threat models, I often target it on the mitigations, making sure they are good, solid and well thought out. One mitigation type that worries me is when a team mitigates a threat by asking the user/admin to make a trust decision. As a rule of thumb, this is not the best mitigation. Sometimes you must ask the user, I understand that, but fewer trust dialog boxes is often safer.

Case in point is IE in XPSP2 - have you noticed a number of dialog asking users to make security decisions have “gone away”? Rather the browser simply enforces a default security policy and tells you what it just did (in a bar above the HTML content.) For example blocking ActiveX controls, or blocking pop-ups and so on. If you want to change the policy then go ahead, but the default is not to prompt the user.

Net net: We've found that constantly asking users to make trust decisions is generally not a good thing. Invariably, people will see the dialog, and to them it'll read, “Do you want to get your job done” and they'll hit 'yes' with little or no regard for the consequences.

So now, we just enforce a default security policy.

Simple, really.