[OpenID] Security related Use Cases?

Allen Tom atom at yahoo-inc.com
Tue Oct 21 16:26:45 UTC 2008


Ben Laurie wrote:
>
>>
>> We do not allow the Yahoo Login screen to be framed,
>>     
>
> Can you do that when JS is disabled?
>
>   

No, JS must be enabled for the framebusting code to work. That being 
said, our studies show that more than 99% percent of users have JS 
enabled, and realistically speaking, users who disable JS for security 
reasons are probably not going to get phished.

> Surely research has shown that these are completely ineffective? That
> is, if the phisher replaces the seal with "sorry, our server is down
> right now" most people go ahead and log in anyway.
>   
The Sign-in Seal is intended to help users recognize the Yahoo Login 
Screen. It is not intended to be a 100% foolproof solution, but rather 
it is an extra factor for users who worry about phishing to have a 
greater assurance that they're not being phished when entering their 
password.

Allen

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081021/635421dd/attachment-0002.htm>


More information about the general mailing list