[OpenID] Security related Use Cases?
Allen Tom
atom at yahoo-inc.com
Tue Oct 21 16:26:45 UTC 2008
Ben Laurie wrote:
>
>>
>> We do not allow the Yahoo Login screen to be framed,
>>
>
> Can you do that when JS is disabled?
>
>
No, JS must be enabled for the framebusting code to work. That being
said, our studies show that more than 99% percent of users have JS
enabled, and realistically speaking, users who disable JS for security
reasons are probably not going to get phished.
> Surely research has shown that these are completely ineffective? That
> is, if the phisher replaces the seal with "sorry, our server is down
> right now" most people go ahead and log in anyway.
>
The Sign-in Seal is intended to help users recognize the Yahoo Login
Screen. It is not intended to be a 100% foolproof solution, but rather
it is an extra factor for users who worry about phishing to have a
greater assurance that they're not being phished when entering their
password.
Allen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081021/635421dd/attachment-0002.htm>
More information about the general
mailing list