[OpenID] [security] MyOpenID anti-phishing tools ...
Mike Glover
mpg4 at janrain.com
Wed Jan 24 17:16:55 UTC 2007
Marcin-
SafeSignin will prevent you from entering your password if you've been
redirected from another website. To try it out:
* go to myopenid.com/settings
* check the 'Activate SafeSignin...' box
* log out of MyOpenID
* try to use your MyOpenID to log in somewhere
Instead of being asked for your password, you should get a screen
telling you to use your bookmark to log in.
The Personal Icon is tied to a cookie that will be sent to
[anything].myopenid.com. We look up the image based on that cookie, and
serve the image back to you.
-mike
Marcin Jagodziński wrote:
> Scott,
>
> I don't quite get SafeSignIn. I have a weblog (nettoblog.com) that is
> OpenID enabled. I've entered reuptake.myopenid.com identifier as
> login. Then I had to enter URL in Location bar. The I logged in...
> and? What's next? I expected something like:
>
> "A site identifying as http://nettoblog.com has asked us for
> confirmation that http://reuptake.myopenid.com/ is your identity URL.
> nettoblog.com also asked for additional information. It did not
> provide a link to the policy on data it collects"
>
> How can I login to weblog using SafeSignIn and MyOpenID?
>
> And second question: what you mean by "personalized image for MyOpenID that is
> not tied to your account"? Does it means that it's stored in cookie
> readable by myopenin.com not reuptake.myopenid.com?
>
> regards,
>
> Marcin
>
> 2007/1/24, Scott Kveton <scott at janrain.com>:
>> Inspired by a lot of the discussion happening here on the mailing lists
>> (yes, I'm cross-posting, I think its applicable) we've gone and implemented
>> two new features on MyOpenID.com to help fight phishing:
>>
>> * Personal Icon: Allows you to set a personalized image for MyOpenID that is
>> not tied to your account that is only visible from the browser you install
>> it on. This helps you with a visual clue on when you might be getting
>> phished.
>>
>> * SafeSignIn: Inspired by Simon Willison, we created an option that allows
>> users to not be redirected to a password screen from another site. You are
>> presented with a dialog that asks you to navigate to the page via a bookmark
>> or enter the address manually in the address bar.
>>
>> We wanted to get something up quickly while we discuss options for the
>> specification/appendix/etc to make sure our users are as secure as they can
>> be.
>>
>> You can read more about it here:
>>
>> http://kveton.com/blog/?p=211
>>
>> We'd love to hear thoughts from folks on these new tools,
>>
>> - Scott
>>
>> _______________________________________________
>> security mailing list
>> security at openid.net
>> http://openid.net/mailman/listinfo/security
>>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
More information about the general
mailing list