mirror of
https://github.com/LCTT/TranslateProject.git
synced 2024-12-23 21:20:42 +08:00
Xingyu Wang
parent
beb307ca57
commit
5240f53e83
@ -0,0 +1,87 @@
|
||||
[#]: subject: "Security buzzwords to avoid and what to say instead"
|
||||
[#]: via: "https://opensource.com/article/22/9/security-buzzword-alternatives"
|
||||
[#]: author: "Seth Kenlon https://opensource.com/users/seth"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: "ChatGPT"
|
||||
[#]: reviewer: "wxy"
|
||||
[#]: publisher: "wxy"
|
||||
[#]: url: "https://linux.cn/article-16325-1.html"
|
||||
|
||||
“安全”这个热词:应避免使用还是该更直接?
|
||||
======
|
||||
|
||||
![][0]
|
||||
|
||||
> 思考一下,如何在你的开源项目中真正定义安全性吧。
|
||||
|
||||
科技行业以创造“热词”而小有名气,当然,其他行业也是如此。譬如,“故事驱动”和“轻规则”是当下流行的桌游概念,“解构”的汉堡和墨西哥卷饼在高级餐厅颇受欢迎。然而,技术热词的问题在于,它们可能直接影响你的生活。当某人标榜应用程序“安全”,以此来吸引你使用他们的产品,产品实际上是在暗示一种承诺:“安全”的含义就是它是安全的,它值得你的使用与信任。但问题是,“安全”这个词可能指的是许多事情,技术行业常将它用作一个过于泛化的术语,以至于它逐渐失去了实际含义。
|
||||
|
||||
由于“安全”一词可能含义丰富,也可能一无是处,使用它就需要慎之又慎。事实上,最好是尽量避免使用这个词,取而代之的是,诉诸你真正要表达的东西。
|
||||
|
||||
### 当 “安全” 意味着加密
|
||||
|
||||
有时候,“安全” 会被作为 *加密* 的非常不明确的简短表述。在这种情况下,“安全” 指的是,对于外部观察者想要窃听你的数据,要经过一定的困难。
|
||||
|
||||
**避免这样表述:**“本网站稳如磐石且安全无忧。”
|
||||
|
||||
听起来很棒?你可能会想象一个拥有多重二次验证、零知识证明数据存储以及坚决的匿名策略的网站。
|
||||
|
||||
**你可以这么说:**“本网站承诺有 99% 的在线时间,并且其流量都通过 SSL 进行加密和验证。”
|
||||
|
||||
这样一来,承诺的含义变得清晰了,同时也明确了实现 “安全” 的方法(即使用 SSL)以及 “安全“ 的作用范围是什么。
|
||||
|
||||
注意,这里并未对隐私或匿名做出任何明确的承诺。
|
||||
|
||||
### 当 “安全” 意味着访问限制
|
||||
|
||||
有时,“安全” 这个词是指应用程序或设备的访问权限。如果没有明确的解释,“安全” 可能涵盖从无效的“隐蔽即安全”模式,到简单的 htaccess 密码,直到生物识别扫描器等各种概念。
|
||||
|
||||
**避免这样表述:**“我们已经为你防护好了系统。”
|
||||
|
||||
**你可以这么说:**“我们的系统采用了二步验证法。”
|
||||
|
||||
### 当 “安全” 意味着数据存储
|
||||
|
||||
“安全” 这个词也可以指你的数据在服务器或设备上的储存方法。
|
||||
|
||||
**避免这样表述:**“这个设备在数据存储上考虑了安全因素。”
|
||||
|
||||
**你可以这么说:**“这个设备利用全盘加密技术来保护你的数据。”
|
||||
|
||||
当提到远程存储时,“安全” 可能更多指的是谁可以访问存储数据。
|
||||
|
||||
**避免这样表述:**“你的数据是安全的。”
|
||||
|
||||
**你可以这么说:**“你的数据经过 PGP 加密,仅你持有私钥。”
|
||||
|
||||
### 当 “安全” 意味着隐私
|
||||
|
||||
今天,“隐私” 一词几乎和 “安全” 一样宽泛且模糊。一方面,“安全” 似乎必然就涉及 “隐私”,然而,这仅在 '安全' 有明确定义时才成立。是因为设有密码阻止外人进入所以称之为私有吗?还是因为数据已加密且仅你拥有密钥所以归为私有?又或者,由于存储你数据的厂商除了 IP 地址外对你一无所知,这才算是私有?光是口头声明 “隐私”,就像未经说明就声明 “安全” 一样,是不够的。
|
||||
|
||||
**避免这样表述:**“你的数据在我们这里是安全的。”
|
||||
|
||||
**你可以这么说:**“你的数据经 PGP 加密,且只有你拥有私钥。我们不需要你的任何个人信息,唯一能识别你的只有你的 IP 地址。”
|
||||
|
||||
一些网站会声明 IP 地址在日志中保留期限,及非经法律授权绝不向执法部门交出用户数据等诸多承诺。虽然这些并不属于技术 “安全” 的范畴,但它们全都涉及的是信任度,你不能将这些看作是技术规格。
|
||||
|
||||
### 明确所说
|
||||
|
||||
科技是个复杂的话题,极易引发混淆。沟通是至关重要的,虽然有时候简拼和专有名词在某些场合可能管用,但通常来说,讲明白总是比较好的。当你对你的项目的 “安全” 感到自豪,不要只用模糊的词语进行简述。向其他人明确你具体做了什么来保护你的用户,同时也要明确你认为哪些事物已超出你的考量范围,并要经常进行这样的沟通。“安全” 是个好特点,但它的涵盖面过广,所以请勿畏于夸赞自己在某个具体方向上的特别之处。
|
||||
|
||||
*(题图:MJ/b8cc54ee-5556-4106-b9fa-b08539452aa7)*
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://opensource.com/article/22/9/security-buzzword-alternatives
|
||||
|
||||
作者:[Seth Kenlon][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[ChatGPT](https://linux.cn/lctt/ChatGPT)
|
||||
校对:[wxy](https://github.com/wxy)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://opensource.com/users/seth
|
||||
[b]: https://github.com/lkxed
|
||||
[1]: https://opensource.com/sites/default/files/lead-images/security-lock-password.jpg
|
||||
[0]: https://img.linux.net.cn/data/attachment/album/202310/28/095718zso6aaitoyyv4ain.jpg
|
||||
@ -1,85 +0,0 @@
|
||||
[#]: subject: "Security buzzwords to avoid and what to say instead"
|
||||
[#]: via: "https://opensource.com/article/22/9/security-buzzword-alternatives"
|
||||
[#]: author: "Seth Kenlon https://opensource.com/users/seth"
|
||||
[#]: collector: "lkxed"
|
||||
[#]: translator: " "
|
||||
[#]: reviewer: " "
|
||||
[#]: publisher: " "
|
||||
[#]: url: " "
|
||||
|
||||
Security buzzwords to avoid and what to say instead
|
||||
======
|
||||
Consider these thoughtful approaches to define what security really means in your open source project.
|
||||
|
||||
![Lock][1]
|
||||
|
||||
Image by: JanBaby, via Pixabay CC0.
|
||||
|
||||
Technology is a little famous for coming up with "buzzwords." Other industries do it, too, of course. "Story-driven" and "rules light" tabletop games are a big thing right now, "deconstructed" burgers and burritos are a big deal in fine dining. The problem with buzzwords in tech, though, is that they potentially actually affect your life. When somebody calls an application "secure," to influence you to use their product, there's an implicit promise being made. "Secure" must mean that something's secure. It's safe for you to use and trust. The problem is, the word "secure" can actually refer to any number of things, and the tech industry often uses it as such a general term that it becomes meaningless.
|
||||
|
||||
Because "secure" can mean both so much and so little, it's important to use the word "secure" carefully. In fact, it's often best not to use the word at all, and instead, just say what you actually mean.
|
||||
|
||||
### When "secure" means encrypted
|
||||
|
||||
Sometimes "secure" is imprecise shorthand for *encrypted*. In this context, "secure" refers to some degree of difficulty for outside observers to eavesdrop on your data.
|
||||
|
||||
**Don't say this:** "This website is resilient and secure."
|
||||
|
||||
That sounds pretty good! You're probably imagining a website that has several options for 2-factor authentication, zero-knowledge data storage, and steadfast anonymity policies.
|
||||
|
||||
**Say this instead:** "This website has a 99% uptime guarantee, and its traffic is encrypted and verifiable with SSL."
|
||||
|
||||
Not only is the intent of the promise clear now, it also explains how "secure" is achieved (it uses SSL) and what the scope of "secure" is.
|
||||
|
||||
Note that there's explicitly no promise here about privacy or anonymity.
|
||||
|
||||
### When "secure" means restricted access
|
||||
|
||||
Sometimes the term "secure" refers to application or device access. Without clarification, "secure" could mean anything from the useless *security by obscurity* model, to a simple htaccess password, to biometric scanners.
|
||||
|
||||
**Don't say this:** "We've secured the system for your protection."
|
||||
|
||||
**Say this instead:** "Our system uses 2-factor authentication."
|
||||
|
||||
### When "secure" means data storage
|
||||
|
||||
The term "secure" can also refer to the way your data is stored on a server or a device.
|
||||
|
||||
**Don't say this:** "This device stores your data with security in mind."
|
||||
|
||||
**Say this instead:** "This device uses full disk encryption to protect your data."
|
||||
|
||||
When remote storage is involved, "secure" may instead refer to who has access to stored data.
|
||||
|
||||
**Don't say this:** "Your data is secure."
|
||||
|
||||
**Say this instead:** "Your data is encrypted using PGP, and only you have the private key."
|
||||
|
||||
### When "secure" means privacy
|
||||
|
||||
These days, the term "privacy" is almost as broad and imprecise as "security." On one hand, you might think that "secure" must mean "private," but that's true only when "secure" has been defined. Is something private because it has a password barrier to entry? Or is something private because it's been encrypted and only you have the keys? Or is it private because the vendor storing your data knows nothing about you (aside from an IP address?) It's not enough to declare "privacy" any more than it is to declare "security" without qualification.
|
||||
|
||||
**Don't say this:** "Your data is secure with us."
|
||||
|
||||
**Say this instead:** "Your data is encrypted with PGP, and only you have the private key. We require no personal data from you, and can only identify you by your IP address."
|
||||
|
||||
Some sites make claims about how long IP addresses are retained in logs, and promises about never surrendering data to authorities without warrants, and so on. Those are beyond the scope of technological "security," and have everything to do with trust, so don't confuse them for technical specifications.
|
||||
|
||||
### Say what you mean
|
||||
|
||||
Technology is a complex topic with a lot of potential for confusion. Communication is important, and while shorthand and jargon can be useful in some settings, generally it's better to be precise. When you're proud of the "security" of your project, don't generalize it with a broad term. Make it clear to others what you're doing to protect your users, and make it equally clear what you consider out of scope, and communicate these things often. "Security" is a great feature, but it's a broad one, so don't be afraid to brag about the specifics.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://opensource.com/article/22/9/security-buzzword-alternatives
|
||||
|
||||
作者:[Seth Kenlon][a]
|
||||
选题:[lkxed][b]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://opensource.com/users/seth
|
||||
[b]: https://github.com/lkxed
|
||||
[1]: https://opensource.com/sites/default/files/lead-images/security-lock-password.jpg
|
||||
Loading…
Reference in New Issue
Block a user