[OpenID] OpenID User Interface Working Group
Peter Williams
pwilliams at rapattoni.com
Fri Mar 20 14:35:04 UTC 2009
Yes.
"Pape" negotiation (vs OP-centric governance) is the normal way to handle it (pape being a low end ciphersuite negotiation mechanism). Then the parties remain as peers, and rp-centric federation models stay as legitimate as op-centric federation models. Quite which one fits a particular app is a operational matter.
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Paul Madsen
Sent: Friday, March 20, 2009 7:32 AM
To: Andrew Arnott
Cc: general at openid.net
Subject: Re: [OpenID] OpenID User Interface Working Group
isnt the domain of 'resistant to phishing' or not the domain of PAPE?
Andrew Arnott wrote:
You know what would be neat is if there was an OpenID extension by which an RP can discover whether an OP deemed it safe to have its login page be placed in an RP's iframe. OPs can place their login pages in iframes totally safely, I'd say, if they took InfoCard as their login credential.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire
On Thu, Mar 19, 2009 at 7:07 PM, Allen Tom <atom at yahoo-inc.com<mailto:atom at yahoo-inc.com>> wrote:
Hi Andrew,
I am in total agreement with you that phishing is a huge problem, and the Yahoo Membership team (the same folks working on OpenID) devotes a considerable amount of resources to fight phishing, and well as trying to help users who have been phished.
We also put in a lot of effort to educate users about phishing, and we strongly encourage our users to setup a personalized anti-phishing Sign-in Seal, as well as to always check the address bar of the browser before entering their Yahoo credentials.
http://security.yahoo.com/article.html?aid=2006102503
https://protect.login.yahoo.com/
http://openid.yahoo.com/ (Click on the OpenID Tour link to learn about phishing and OpenID)
We are totally against the concept of allowing an RP to open a frame for the user to enter their OP's password. As you pointed out, the user would have no idea where the password is going, and this would be extremely insecure. Earlier versions of Facebook Connect used to demonstrate this behavior, and I'm very glad to see that Facebook has since moved the password validation into a standalone popup window, with the browser's addressbar clearly displayed.
One of Yahoo's primary security requirements with Federated SSO (OpenID, OAuth, BBAuth, SAML) is that the user is able to recognize the Yahoo Login screen. We do this by educating users to always check the address bar and to create a customized Sign-in Seal. The UI Working Group believes that a popup authentication screen, in a standalone browser window (not framed) and with the address bar clearly displayed, providers users with the same ability to detect phishing compared to the existing full browser redirect user experience that is used by OpenID today.
>From a user experience perspective, eliminating the browser redirect maintains the context of the RP's site, which is the biggest complaint that we've received with BBAuth, OAuth, and OpenID. Facebook, Yahoo, many others have UX research showing that the redirect is a very jarring experience, and the success rate can be dramatically improved by moving to a popup flow.
As far as I can tell, an independent popup window, with the address bar displayed, has the same characteristics with regards to phishing, as the full browser redirect. The popup window does not prevent OPs from deploying anti-phishing technologies, and I believe that the popup will drive more widespread usage of OpenID, which will also increase demand for anti-phishing solutions.
thanks
Allen
Nash, Andrew wrote:
One of the ways that we have been able to reduce the incidence of
successful account takeovers has been to drill into consumers that they
should NEVER sign into an account on a domain that is not directly
associated with the account provider. This is not perfect, but then none
of the anti-phishing techniques are - it is why we have to spend so much
money and utilize so many different strategies.
As it reads, UI working group will be socializing the concept among
users that it is perfectly fine to enter your authentication information
at any site that pops up a frame asking for it. From an Internet trust
perspective this is a REALLY BAD IDEA!
OpenID is already criticized for its exposure to phishing and spoofing
attacks. If this approach is taken in the way it seems to be described,
we will pretty much ensure that no one that has medium to high value
transactions or services will be interested in implementing OpenID.
--Andrew
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general
________________________________
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general
________________________________
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.557 / Virus Database: 270.11.21/2014 - Release Date: 20/03/2009 6:59 AM
--
Paul Madsen
e:paulmadsen @ ntt-at.com
p:613-482-0432
m:613-282-8647
web:connectid.blogspot.com
[cid:image001.gif at 01C9A92E.4E9F6AF0]<http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/fad450bb/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 21486 bytes
Desc: image001.gif
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090320/fad450bb/attachment-0002.gif>
More information about the general
mailing list