[OpenID] FB Connect, OpenID and UX

Steven Livingstone-Perez weblivz at hotmail.com
Mon Dec 15 19:49:43 UTC 2008


Been on other things so apologies if this was discussed in the previous
thread on FB Connect .

 

Perhaps I am mistaken on how FB Connect works, but today I read [1] that one
"issue" with OpenID is that you need to GO to the provider web site to log
in and so it's a hassle for users, whereas with FB Connect you can log in on
that page and no redirect is required.

 

I think we all agree that UX is one issue other than phishing that OpenID
has had to deal with over the last few years.

 

However, I'm slightly perturbed that FB Connect is perceived to be *easier*
when it seems to me it is potential phishing security nightmare (worse than
anything thrown at OpenID) in the works. Let me first apologize if I am off
base here as I have read some of the doco and admit the devil can be in the
detail sometimes.

 

However, I can't imagine any secure manner (possibly, beyond something like
CardSpace integrated into the OS) in which you can ask a user to log in via
an *inline* browser window. I can ONLY see an absolute requirement that you
go to your provider and get redirected back - that the web site you are
entering the details into is the one shown in your address bar.

 

In no time at all many of us could hack a image popup that looks like the FB
Connect login screen. In fact even if you were 100% sure (say via a browser
button) that the script added WAS that of FB Connect, it is trivial using a
DIV and CSS's z-index and any number of other methods to put another
identical window on top of that one.

 

I am seriously seriously missing something here? I love the UX on FB Connect
but all I see are potential security holes.

 

IMHO OpenID should be build *into* the browsers if we want to get this kind
of inline authentication mechanism.

 

steven

http://livz.org

 

[1] http://tinyurl.com/5puo96

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081215/29cdb6ba/attachment-0002.htm>


More information about the general mailing list