optionsScalper did a post about MCE security. i've actually been waiting for him to make that post. one of his points is how the MSHTML UI has been simplified for the 10 foot experience; but this removes alot of the context clues i use when surfing to judge a sites trustworthiness (address bar, secure connection lock, viewing source, no status bar to see links). when he hinted at this during lunch, i immediately saw his point and agreed.
at least the 'Online Spotlight' links are controlled by MS, but they aren't across a secure channel. moreover, i would like to have the security requirements for what the Online Spotlight sites have to meet made public. e.g. i was using MSN Music and it prompted me for email and password to sign in. but i was scared to enter my password because there was no 'golden lock' telling me that it wasnt going to be sent in plaintext. if you put a sniffer on the wire, then you can see that it does go over https:, but there is no visibility to the user to make the right decision. another problem i saw was when entering passwords. the text box would mask most of the input, but the last character entered was not getting masked.
granted, it does do some really good things. popups dont happen ... end of story. ActiveX controls have to be registered. also, some of the sites would kick out to a standalone IE browser for secure data entry. plus i got the standard SP2 installation warning when running an executable.
anyway, i was not getting the warm fuzzy that i need to surf with a remote. so i'm really glad that he decided to post just to get more eyes on it