<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Re: [OpenID] FB Connect, OpenID and UX</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ahhhh – thanks Luke and that makes complete sense… I
read the following in that article (not a quote from anyone at FB of course) :<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>“It uses an in-page pop-up containing the login dialog.
The user, therefore, never really leaves the page, making the experience almost
seamless.”<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Such an innocent line with huge implications. BUT really wish I had
more time to play – a million apologies </span><span style='font-size:
11.0pt;font-family:Wingdings;color:#1F497D'>J</span><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hmmm, writing a similar OpenID “lightbox” should be
trivial as well – food for thought, although I use OpenID mainly just for
auth just now, so the “lightbox” data sharing situation isn’t
something that concerns me too much (yet).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Still, I hope the built-in identity comes soon!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>steven<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>http://livz.org<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Luke Shepard
[mailto:lshepard@facebook.com] <br>
<b>Sent:</b> 15 December 2008 19:55<br>
<b>To:</b> Steven Livingstone-Perez; general@openid.net<br>
<b>Subject:</b> Re: [OpenID] FB Connect, OpenID and UX<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif"'>Hey Steven-<br>
<br>
I totally agree that identity should eventually be built into browsers and
devices. I would love to work on that.<br>
<br>
For Facebook Connect, the user’s credentials aren’t ever entered
into an iframe. If the user is not logged into Facebook, then they will get a
normal browser popup. I believe browser popups are supported by OpenID as well:<br>
<br>
<br>
<img width=453 height=480 id="_x0000_i1025"
src="cid:image001.png@01C95EF0.D28A49D0"><br>
<br>
Only if the user is logged in (which is detected behind the scenes) do they see
an iframe lightbox. But in that case, they are not asked for their username or
password.<br>
<br>
On 12/15/08 11:49 AM, "Steven Livingstone-Perez" <<a
href="weblivz@hotmail.com">weblivz@hotmail.com</a>> wrote:</span><o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif"'>Been on other things so apologies if this
was discussed in the previous thread on FB Connect …<br>
<br>
Perhaps I am mistaken on how FB Connect works, but today I read [1] that one
“issue” with OpenID is that you need to GO to the provider web site
to log in and so it’s a hassle for users, whereas with FB Connect you can
log in on that page and no redirect is required.<br>
<br>
I think we all agree that UX is one issue other than phishing that OpenID has
had to deal with over the last few years.<br>
<br>
However, I’m slightly perturbed that FB Connect is perceived to be *<b>easier</b>*
when it seems to me it is potential phishing security nightmare (worse than
anything thrown at OpenID) in the works. Let me first apologize if I am off
base here as I have read some of the doco and admit the devil can be in the
detail sometimes.<br>
<br>
However, I can’t imagine any secure manner (possibly, beyond something
like CardSpace integrated into the OS) in which you can ask a user to log in
via an *<b>inline</b>* browser window. I can ONLY see an absolute requirement
that you go to your provider and get redirected back – that the web site you
are entering the details into is the one shown in your address bar.<br>
<br>
In no time at all many of us could hack a image popup that looks like the FB
Connect login screen. In fact even if you were 100% sure (say via a browser
button) that the script added WAS that of FB Connect, it is trivial using a DIV
and CSS’s z-index and any number of other methods to put another
identical window on top of that one.<br>
<br>
I am seriously seriously missing something here? I love the UX on FB Connect
but all I see are potential security holes.<br>
<br>
IMHO OpenID should be build *<b>into</b>* the browsers if we want to get this
kind of inline authentication mechanism.<br>
<br>
steven<br>
<a href="http://livz.org">http://livz.org</a><br>
<br>
[1] </span><b><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'><a
href="http://tinyurl.com/5puo96">http://tinyurl.com/5puo96</a></span></b><o:p></o:p></p>
</div>
</body>
</html>