[OpenID] Another Client-side Password Phishing Mitigation Idea
Marcin Jagodziński
marcin.jagodzinski at gmail.com
Sun Jan 21 22:12:30 UTC 2007
This kind of detection can be is very easily avoided in my opinion.
We need to send a clear message to OPs or RPs: "Please include this in
this way to make your form detectable by various browsers/plugins that
will apply additional layer of security", not: "there are some regular
expressions and some fuzzy logic, so there is high degree of
probability that your form will be treated as login form and protected
by Identity Manager". This should be boolean, not fuzzy. And also
should enable browser/plugin makers to compete in creating the best
security plugin. Identity Manager is one option. We let users to
choose their OP, so we should let them choose their security
plugin/browser.
regards
Marcin
07-01-21, Dmitry Shechtman <damnian at gmail.com> napisał(a):
> Marcin,
>
> I assume you are talking about an "identity manager plugin". Actually, I
> envision it as core browser functionality.
>
> I don't quite understand what you mean by "plugin will not start". My
> suggestion includes RP detection as explained in the reply to your comment
> to my post.
>
>
> Regards,
> Dmitry
> =damnian
>
>
More information about the general
mailing list