[OpenID] Directed Identity vs. "what the user typed"
SitG Admin
sysadmin at shadowsinthegarden.com
Tue Mar 24 20:21:50 UTC 2009
>By the way, the "user at password:" portion is not permitted in an
>http: URL per the specification.
I think the idea was to use "username:password@", an old IE
convention for pre-loading the username and password to use if
prompted for authentication. This feature was eventually removed,
despite the convenience it added (bookmarkable "password entered"
sites), for security reasons: phishers were sending users to
"http://www.google.com@www.phisher.com/" and getting away with it
because users weren't paying much attention beyond seeing
"google.com".
-Shade
More information about the general
mailing list