[OpenID] OpenID User Interface Working Group
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Mon Mar 23 00:42:01 UTC 2009
On 03/23/2009 02:33 AM, Allen Tom:
> Hi Andrew,
>
> Thanks for the follow up, as Breno and I have stated a few times, we
> believe that from an anti-phishing perspective, the popup is
> equivalent to the existing full browser redirect UI. If the concern is
> that the browser chrome is spoofed in HTML, then I believe the special
> EV cert green address bar visual indicator would also be vulnerable to
> spoofing on IE and Firefox, although the treatment might be more
> spoofing resistant on Safari (the visual indicator appears in the
> browser's title bar).
Your assumptions that users will notice the difference between a window
with and without address bar are basically wrong. A small research would
tell you that most users will enter their details anyway.
Which leads us again to the issue of user/pass pairs and their
usefulness (no matter what visual indicators and helpers are presented).
However a full page might protect some users still protect better than a
small pop-up...
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090323/27e44df9/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6724 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090323/27e44df9/attachment-0002.bin>
More information about the general
mailing list