[OpenID] Why spoofing and OpenID look so much alike

[Peter Williams]

So its definitely true that personalized images are perceived to do effective (consumer grade) server auth. It prompts the recall fn of the human brain. The cert/seal dialog rendered by win32 (not browser) did have its drawbacks true: rather than consult the cert evidence it introduced (that also assures openid auth, lets note), consumers tended to just click thru the annoying cert display.

Fun to note that I first saw the articulation of server side visual auth for antiphishing in papers by ed gerck - someone cs academics tend to diss (he writes everything like the treatise of a 19th century german physicist, in english).

-----Original Message-----
From: Jack Cleaver <jack at jackpot.uk.net>
Sent: Monday, September 29, 2008 6:46 AM
To: general at openid.net <general at openid.net>
Subject: Re: [OpenID] Why spoofing and OpenID look so much alike


Peter Williams wrote:
> In ie3, authenticode users were shown a very characteristic
> certificate-like dialog, introducing the trusted publishers of native
>  code in signed/timestampvalidated activex form.

But users didn't know how to tell if it was real or not. More
particularly, users know that a picture on the screen of a seal, or of
sqiggly lines like you see on certificates and banknotes, are just that:
pictures. So if you show them (a rendition of) a real certificate with
those pictorial attributes, they are rightly suspicious: someone is
trying to use easily-faked images to convince them that something is real.

Fershure _I_ don't know how to help users distinguish between the real
and the fake; but images that look like seals are snake-oil, and sooner
or later users will suss that out (sooner, most likely).

--
Jack.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general