<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Helvetica, Arial, sans-serif">My concern with this is that
it requires users to allow persistent cookies. This seems inherently
insecure, what with hacks to read stored cookies, etc. I pretty much
only allow cookies for a session (and hence pretty much just use
firefox or camino nightly builds that support this functionality). For
the majority of users, knowing when it is ok to allow persistent
cookies and when not to is going to be way to complicated to deal with.<br>
<br>
Maybe the OpenID/Mozilla integration could address this by allowing
persistent cookies for the OpenID Providers registered with the browser.<br>
<br>
Thanks,<br>
George<br>
</font><br>
Marcin Jagodziński wrote:
<blockquote cite="mida3e73aa40701190712j31571d7cgc7fc6b1e26dfc759@mail.gmail.com" type="cite">
<pre wrap="">I don't think it will work, sorry. While this prevents phishing, this
also prevents OpenID from mass adoption. People are lazy, they don't
want do type anything. That of course my humble opinion.
Another idea: what about permanent cookie set by OP? Phished OP cannot
access it. The cookie can contain some info provided by user (eg.
title of his favourite song, his favorite quote). If cookie can be
read, the content of it is displayed ("Hello johndoe, your favorite
song is Yellow Submarine, please login below"), if not "Hello johndoe,
we cannot recognize you, please check location bar and SSL
certificate... etc")
What do you think about it?
regards,
Marcin
2007/1/19, Simon Willison <a class="moz-txt-link-rfc2396E" href="mailto:simon@simonwillison.net"><simon@simonwillison.net></a>:
</pre>
<blockquote type="cite">
<pre wrap="">On 19 Jan 2007, at 14:19, Ben Laurie wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Still totally unhappy about the phishing issues, which I blogged
about here:
<a class="moz-txt-link-freetext" href="http://www.links.org/?p=187">http://www.links.org/?p=187</a>
</pre>
</blockquote>
<pre wrap="">I have a proposal which I think could greatly reduce the risk of
phishing: identity providers should /never/ display their login form
(or a link to the form) on a page that has been redirected to by an
OpenID consumer.
Instead, they should instruct the user to navigate to the login page
themselves. The login page should have a short, memorable URL and
users should be encouraged to bookmark it themselves when they sign
up for the provider. The OpenID "landing page" then becomes an
opportunity to help protect users against phishing rather than just
being a vector for the attack.
I've fleshed this out on my blog:
<a class="moz-txt-link-freetext" href="http://simonwillison.net/2007/Jan/19/phishing/">http://simonwillison.net/2007/Jan/19/phishing/</a>
Does that sound workable?
Cheers,
Simon
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<pre wrap=""><!---->_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
</body>
</html>