<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.apple-style-span
{mso-style-name:apple-style-span;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Been on other things so apologies if this was discussed in
the previous thread on FB Connect …<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Perhaps I am mistaken on how FB Connect works, but today I read
[1] that one “issue” with OpenID is that you need to GO to the
provider web site to log in and so it’s a hassle for users, whereas with FB
Connect you can log in on that page and no redirect is required.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I think we all agree that UX is one issue other than
phishing that OpenID has had to deal with over the last few years.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>However, I’m slightly perturbed that FB Connect is
perceived to be *<b>easier</b>* when it seems to me it is potential phishing security
nightmare (worse than anything thrown at OpenID) in the works. Let me first
apologize if I am off base here as I have read some of the doco and admit the
devil can be in the detail sometimes.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>However, I can’t imagine any secure manner (possibly, beyond
something like CardSpace integrated into the OS) in which you can ask a user to
log in via an *<b>inline</b>* browser window. I can ONLY see an absolute
requirement that you go to your provider and get redirected back – that the
web site you are entering the details into is the one shown in your address bar.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>In no time at all many of us could hack a image popup that
looks like the FB Connect login screen. In fact even if you were 100% sure (say
via a browser button) that the script added WAS that of FB Connect, it is
trivial using a DIV and CSS’s z-index and any number of other methods to
put another identical window on top of that one.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I am seriously seriously missing something here? I love the
UX on FB Connect but all I see are potential security holes.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>IMHO OpenID should be build *<b>into</b>* the browsers if we
want to get this kind of inline authentication mechanism.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>steven<o:p></o:p></p>
<p class=MsoNormal>http://livz.org<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>[1] <span class=apple-style-span><b><span style='font-size:
10.0pt;font-family:"Verdana","sans-serif";color:black'>http://tinyurl.com/5puo96</span></b></span><o:p></o:p></p>
</div>
</body>
</html>