[OpenID] Security related Use Cases?
Ben Laurie
benl at google.com
Mon Oct 20 12:20:14 UTC 2008
On Sat, Oct 18, 2008 at 4:40 AM, Allen Tom <atom at yahoo-inc.com> wrote:
> Dick Hardt wrote:
>> Have you tested the OP user experience with a malicious RP? ie. how
>> easy is it for a malicious RP to fool users to pretend they are your OP?
> This is exactly the reason why we require that the Yahoo Login screen
> always appear in the the entire browser window, with the address bar
> displaying https://login.yahoo.com.
>
> We do not allow the Yahoo Login screen to be framed,
Can you do that when JS is disabled?
> and we encourage
> all users, especially OpenID users to setup an anti-phishing Sign-in
> Seal, which is a customized image that's displayed next to the Login form.
Surely research has shown that these are completely ineffective? That
is, if the phisher replaces the seal with "sorry, our server is down
right now" most people go ahead and log in anyway.
>
> Allen
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
More information about the general
mailing list