[OpenID] OpenID User Interface Working Group
Paul Madsen
paulmadsen at rogers.com
Fri Mar 20 14:31:45 UTC 2009
isnt the domain of 'resistant to phishing' or not the domain of PAPE?
Andrew Arnott wrote:
> You know what would be neat is if there was an OpenID extension by
> which an RP can discover whether an OP deemed it safe to have its
> login page be placed in an RP's iframe. OPs can place their login
> pages in iframes totally safely, I'd say, if they took InfoCard as
> their login credential.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the
> death your right to say it." - Voltaire
>
>
> On Thu, Mar 19, 2009 at 7:07 PM, Allen Tom <atom at yahoo-inc.com
> <mailto:atom at yahoo-inc.com>> wrote:
>
> Hi Andrew,
>
> I am in total agreement with you that phishing is a huge problem,
> and the Yahoo Membership team (the same folks working on OpenID)
> devotes a considerable amount of resources to fight phishing, and
> well as trying to help users who have been phished.
>
> We also put in a lot of effort to educate users about phishing,
> and we strongly encourage our users to setup a personalized
> anti-phishing Sign-in Seal, as well as to always check the address
> bar of the browser before entering their Yahoo credentials.
>
> http://security.yahoo.com/article.html?aid=2006102503
> https://protect.login.yahoo.com/
> http://openid.yahoo.com/ (Click on the OpenID Tour link to learn
> about phishing and OpenID)
>
> We are totally against the concept of allowing an RP to open a
> frame for the user to enter their OP's password. As you pointed
> out, the user would have no idea where the password is going, and
> this would be extremely insecure. Earlier versions of Facebook
> Connect used to demonstrate this behavior, and I'm very glad to
> see that Facebook has since moved the password validation into a
> standalone popup window, with the browser's addressbar clearly
> displayed.
>
> One of Yahoo's primary security requirements with Federated SSO
> (OpenID, OAuth, BBAuth, SAML) is that the user is able to
> recognize the Yahoo Login screen. We do this by educating users to
> always check the address bar and to create a customized Sign-in
> Seal. The UI Working Group believes that a popup authentication
> screen, in a standalone browser window (not framed) and with the
> address bar clearly displayed, providers users with the same
> ability to detect phishing compared to the existing full browser
> redirect user experience that is used by OpenID today.
>
> >From a user experience perspective, eliminating the browser
> redirect maintains the context of the RP's site, which is the
> biggest complaint that we've received with BBAuth, OAuth, and
> OpenID. Facebook, Yahoo, many others have UX research showing
> that the redirect is a very jarring experience, and the success
> rate can be dramatically improved by moving to a popup flow.
>
> As far as I can tell, an independent popup window, with the
> address bar displayed, has the same characteristics with regards
> to phishing, as the full browser redirect. The popup window does
> not prevent OPs from deploying anti-phishing technologies, and I
> believe that the popup will drive more widespread usage of OpenID,
> which will also increase demand for anti-phishing solutions.
>
> thanks
> Allen
>
>
> Nash, Andrew wrote:
>
>
> One of the ways that we have been able to reduce the incidence of
> successful account takeovers has been to drill into consumers
> that they
> should NEVER sign into an account on a domain that is not directly
> associated with the account provider. This is not perfect, but
> then none
> of the anti-phishing techniques are - it is why we have to
> spend so much
> money and utilize so many different strategies.
>
> As it reads, UI working group will be socializing the concept
> among
> users that it is perfectly fine to enter your authentication
> information
> at any site that pops up a frame asking for it. From an
> Internet trust
> perspective this is a REALLY BAD IDEA!
>
> OpenID is already criticized for its exposure to phishing and
> spoofing
> attacks. If this approach is taken in the way it seems to be
> described,
> we will pretty much ensure that no one that has medium to high
> value
> transactions or services will be interested in implementing
> OpenID.
>
> --Andrew
>
> _______________________________________________
> general mailing list
> general at openid.net <mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net <mailto:general at openid.net>
> http://openid.net/mailman/listinfo/general
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.557 / Virus Database: 270.11.21/2014 - Release Date: 20/03/2009 6:59 AM
>
--
Paul Madsen
e:paulmadsen @ ntt-at.com
p:613-482-0432
m:613-282-8647
web:connectid.blogspot.com
ConnectID <http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/cd885f02/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gMwy.1.gif
Type: image/gif
Size: 21486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/cd885f02/attachment-0002.gif>
More information about the general
mailing list