[OpenID] Replacing all browsers isn't as hard as it might seem...
James A. Donald
jamesd at echeque.com
Tue Jan 23 09:23:15 UTC 2007
> > The fact that browsers have failed to provide us
> > with the capabilities we need to provide our users
> > with a safe browsing experience cannot be something
> > that we simply accept and try to work around. This
> > situation should be considered a scandal and the
> > press should be filled with articles on the subject.
> > The proper and correct course of action is, I think,
> > to find means to force the browser developers to
> > address better the most critical needs of the
> > market. Too many people have lost too
> This statement bothers me, somewhat. It's impossible
> for me to say this (as the only guy in the room who
> works on a web browser for a living) without sounding
> defensive, but ... I don't know why it's up to
> web-browser vendors alone, or why browsers alone are
> being made to blame. Why not ISPs, CAs, protocol and
> technology specification authoring groups? Or banks
> for continuing to email clients with links to their
> web pages instead of clearly stating "we will never
> email you a web link, ever, ever, ever!" Do you
> similarly consider email clients to blame for allowing
> spam or web scams, telephone manufacturers to blame
> for allowing telephone scams, or banks to blame for
> credit card fraud? Surely not on their own. The
> failures that have led to the relative ease of
> phishing, MITM, pharming, etc, should be shared
> equally. The browser vendors can help and work with
> these groups to make things better, and we can even
> act in harmony to deprecate blatantly insecure
> technologies (as we did by refusing to display certain
> versions of SSL), but I don't think that it's only up
> to us.
Phishing can only be fixed in the user agent.
We also have a closely related problem, too damn many
The user agent needs to handle registration, login, and
website initiated messages to registrants.
More information about the general