On being a user agent
Saturday, 28. January 2006, 14:02:08
A few times in my life I've had the mixed blessing of dealing with Visa authorities. Their job is to ask for impressive piles of paper that I guess noone will read closely, and among the things one must document is usually that you have enough money in your bank account to survive for a while without "resorting to public funds" (doesn't sound like the type of resort I'd want to spend a holiday at but Visa People like reminding you not to anyway).
Now, since I try to save some trees by asking all my banks never to send me paperwork and prefer online banking, I usually supply printouts of online bank statements. I'm always shocked that nobody questions this. I mean, it's not rocket science to edit the cache file before printing or use a bookmarklet to add a couple of strategic zeros is it? If becoming a millionaire was that easy..
Well, I'm glad visa authorities don't know this - but there is absolutely nothing in the design of a browser that is meant to guarantee the authenticity of a printout. The very simple reason for that lies in the term "User Agent". The browser is your "agent", your tool for performing tasks online. It is designed to "trust" and empower YOU as the user. It wasn't designed to verify the size of your bank account. It never ever submitted an application about becoming the Visa Authority's agent. And it does not accept responsibility for any consequences of being forced into this role by ignorant Visa Officers!
I'm sure someone in the right office would call that a security problem. To me, it demonstrates how the simple design principle "User Agent" has plenty of scope for controversy. I believe that while the importance of the Internet keeps growing, we'll run into more and more of these implicit and explicit expectations to user agent behaviour - like the assumption "web page printouts show the authentic data sent from the server" - and it may sometimes be difficult to balance these expectations.
Not every website or authority likes an empowered user. You've got those sites who don't want you to right-click or view source or save or whatever idiocy they try to enforce. Noone needs to be concerned with those that "hide" source code under such tin foil hats - but then you also have the sites that for very plausible reasons want to prevent passwords being saved or make sure the back button doesn't return you to the cached version of the previously viewed page. And several of those sites have both guts and importance to give the UA the ultimate threat: do as we tell you, or we block your users!
And those sites have a point - there are security concerns inherent inn building software that trusts the user - because what if the user right now isn't you but the next guest at the internet cafe you left without closing the browser, or your rogue colleague at work playing with your Wand logins?
Evidently, we don't want to let pages block right-click nor become the Visa Authority Agent - but how do we strike the balance between security for the sites that really need it and a trust-the-user, empowering design?
Now, since I try to save some trees by asking all my banks never to send me paperwork and prefer online banking, I usually supply printouts of online bank statements. I'm always shocked that nobody questions this. I mean, it's not rocket science to edit the cache file before printing or use a bookmarklet to add a couple of strategic zeros is it? If becoming a millionaire was that easy..
Well, I'm glad visa authorities don't know this - but there is absolutely nothing in the design of a browser that is meant to guarantee the authenticity of a printout. The very simple reason for that lies in the term "User Agent". The browser is your "agent", your tool for performing tasks online. It is designed to "trust" and empower YOU as the user. It wasn't designed to verify the size of your bank account. It never ever submitted an application about becoming the Visa Authority's agent. And it does not accept responsibility for any consequences of being forced into this role by ignorant Visa Officers!
I'm sure someone in the right office would call that a security problem. To me, it demonstrates how the simple design principle "User Agent" has plenty of scope for controversy. I believe that while the importance of the Internet keeps growing, we'll run into more and more of these implicit and explicit expectations to user agent behaviour - like the assumption "web page printouts show the authentic data sent from the server" - and it may sometimes be difficult to balance these expectations.
Not every website or authority likes an empowered user. You've got those sites who don't want you to right-click or view source or save or whatever idiocy they try to enforce. Noone needs to be concerned with those that "hide" source code under such tin foil hats - but then you also have the sites that for very plausible reasons want to prevent passwords being saved or make sure the back button doesn't return you to the cached version of the previously viewed page. And several of those sites have both guts and importance to give the UA the ultimate threat: do as we tell you, or we block your users!
And those sites have a point - there are security concerns inherent inn building software that trusts the user - because what if the user right now isn't you but the next guest at the internet cafe you left without closing the browser, or your rogue colleague at work playing with your Wand logins?
Evidently, we don't want to let pages block right-click nor become the Visa Authority Agent - but how do we strike the balance between security for the sites that really need it and a trust-the-user, empowering design?
You must be logged in to write a comment. if you're not a registered member, please 
By dan1el, # 28. January 2006, 16:38:11
By troels, # 28. January 2006, 16:45:32
Unfortunately, there is no corresponding law requiring employers to provide printed copies of paychecks. I'm assuming that the "printed from a computer doesn't count" rules will cease to be enforced in time, but ... I hope not to find out too soon.
By jimjjewett, # 1. February 2006, 01:16:24
By feldgendler, # 1. February 2006, 03:59:52
But I say no: User Agent should stay User Agent and nothing else. If you really nead to, make a safe system, but don't blame the "damn User Agent system".
There should be machine readable code written on the paper. Containing the Session_ID (not necessarily the PHP function), the cash amount, ... etc. etc. ... not easy to crack that down.
And at the Bank you could just have a scanner reading the code and looking up if that code is valid and if it has been used before ...
You just have to *think*. Blaming anybody else and/or inventing unsecure (doesn't need explanation) or unconstitutional (see: DRM) systems is just no way. You've got to live with the consequences.
I hope Opera will stay a full-fanged User Agent in the future ... don't you?
By _Grey_, # 1. February 2006, 19:58:49
feldgendler: it is the user's responsibility to "drive safely"? Sure, but look at IE's BHO mess. There is no way we can require a "driving test" before you start browsing with Opera..
By hallvors, # 2. February 2006, 15:30:40
By qicaispace, # 29. May 2006, 03:40:57