[OpenID] Reconsidering http://openiddifferent from https://openid

Peter Williams pwilliams at rapattoni.com
Wed Sep 19 21:05:38 UTC 2007 

So I asked my wife. She is a long term "consumer-grade" web user who used netscape 1 on a MAC Quadra with a whopping, almost unobtainable 16 MB of RAM at NASA. She had lots of access to knowhow, having worked for the head of NASA Science Internet group for a while. Browsers on 14k modems could wander (4min per image) through a terabyte of graphics of astronomical photos. Before that, she got to do lots of poster art etc for the K-12 intiaitve with logos and suitable imagery (pormoting internet adoption in schools, basically). Had to write lots of stupid security clearance documents allowing some "web guys" to go install a Netscape "WebServer" on a couple of SUN 4 servers in a closet near Bill at whitehouse.gov's office!.  Etc
 
Speaking today on her 2GHz, 2GB RAM machine on a $20 a month 2Mbps home internet circuit:-
 
"Ive no idea what http is. I never type it. I search on the term Apple for example, and click the link there."
 
"I only ever typed it in the last year when a support person read it out loud to me."
 
"I always assumed 'http' is some kind of network name - something similar to the name of an Appletalk fileserver?"
 
"https makes the padlock show shut, when using credit cards". 
 
"The s is for secure? No?"
 
(The last one is fun. She only knows that probably becuase she is married to someone who spent two years talking to her at the meal table about https design and other VISA/MASTERCARD secure payment standards!)

________________________________

From: general-bounces at openid.net on behalf of Jack
Sent: Wed 9/19/2007 1:30 PM
To: Johannes Ernst
Cc: OpenID List
Subject: Re: [OpenID] Reconsidering http://openiddifferent from https://openid



Johannes Ernst wrote:
> I postulate that:
>
> - 99% of internet users have only a very vague idea about the
> difference between http and https,

That is optimistic. Most (more than 50%) haven't the faintest idea what
"https" signifies. They don't even know that it has connotations of
"security".



> in particular as it relates to OpenID.

Even well-informed internet users haven't heard of OpenID, unless they
read or write blogs for interest (rather than reading them because they
came up in the search).

> And in particular as so many RP's don't print the "http[s]" prefix
> when they print a user name!

This is way down the list. Unfortunately it is not user-friendly to
distinguish between http and https, especially if you are advertising a
class of identities that resemble "userid.hostname.tld" or
"hostname.tld/userid". Are the users expected to type fully-qualified
URLs to obtain the benefits of this scheme, or are they not required to
know how to do that? A lack of clarity about that rather critical issue
is unlikely to be helpful.
>
> - almost 100% of internet users won't understand that an RP might
> choose to make http://foo <http://foo/>  and https://foo <https://foo/>  a different account. (I
> have some evidence that at least 90% of a representative sample of
> leading identity technologists don't understand it)
>
> I would also guess that a (human-level) impersonation attack by
> http://foo <http://foo/>  against https://foo <https://foo/>  will almost always been successful -
> e.g. because so many RPs don't print the protocol prefix.
>
> Would anybody on this thread disagree with these assumptions?

Not in any way that matters. My remarks are intended to be supportive,
if that's not clear.


--
Jack Cleaver.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list