[security] Gathering requirements for in-browser OpenID support
Chris Drake
christopher at pobox.com
Tue Oct 31 18:21:56 UTC 2006
Wednesday, November 1, 2006, 5:07:07 AM, you wrote:
PR> Chris Drake wrote:
>> I maintain my position: MitM is not a protocol problem - it's a
>> "stupid user" problem.
>>
PR> When word processors didn't ask if you wanted to save unsaved work when
PR> you exited the application, was that a "stupid user" problem, or poor
PR> human factors design? Personally, any time I hear "stupid user" I think
PR> "bad design." It's the users we design for, if it doesn't work for them
PR> we have failed.
Yes - true - I am being unreasonably harsh; a 16x16 grid of pixels
making up a yellow padlock is definitely an unreasonable thing for my
parents to try and notice (the absence of) & understand - and the crap
that pops up when you click it is beyond the comprehension of at least
99% of internet users I'd expect.
Understanding URLs is also a bit harsh for most folks, that's if they
can even *see* the URL - check out this banks login screen - at the
end of here: https://www.commbank.com.au/login/conditions_splash.asp
I guess we can technically name the people who *write* code for login
systems as being "users" themselves, who've been stupid in not making
their stuff work "end to end" (where the last "end" is someones brain,
rather than a URL or Icon or whatever) - maybe "stupid author" would
be the better term.
Chris.
More information about the security
mailing list