[OpenID] Security related Use Cases?
Breno de Medeiros
breno at google.com
Tue Oct 21 18:06:58 UTC 2008
On Tue, Oct 21, 2008 at 9:26 AM, Allen Tom <atom at yahoo-inc.com> wrote:
> Ben Laurie wrote:
>
> We do not allow the Yahoo Login screen to be framed,
>
>
> Can you do that when JS is disabled?
>
>
>
> No, JS must be enabled for the framebusting code to work. That being said,
> our studies show that more than 99% percent of users have JS enabled, and
> realistically speaking, users who disable JS for security reasons are
> probably not going to get phished.
IE allows you to create an iframe and disable JS inside the iframe.
70-85% of users will be vulnerable to this attack.
>
> Surely research has shown that these are completely ineffective? That
> is, if the phisher replaces the seal with "sorry, our server is down
> right now" most people go ahead and log in anyway.
>
>
> The Sign-in Seal is intended to help users recognize the Yahoo Login Screen.
> It is not intended to be a 100% foolproof solution, but rather it is an
> extra factor for users who worry about phishing to have a greater assurance
> that they're not being phished when entering their password.
>
> Allen
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list