[security] Bookmark Keywords
Ka-Ping Yee
openid at zesty.ca
Sun Jan 21 08:10:24 UTC 2007
Here's an interesting twist on the BookmarkID idea.
Firefox lets you assign keywords to bookmarks and give them
parameterized URLs. In my browser, "g" is assigned to the URL
http://google.com/search?q=%s
So i can do a quick search by typing
g openid
into the URL bar, which becomes
http://google.com/search?q=openid
Aha! What if the OpenID provider says, for all you spiffy Firefox
users out there, assign a keyword to
https://bookmarkid.net/login?user=yourname&pass=%s
Then, when necessary, you authenticate with your OpenID provider
by typing the keyword and your password into the URL bar.
Pros:
- This is probably the closest thing we can have to password entry
in chrome with an unmodified browser.
- The authentication procedure is really different from anything
like filling in a phisher's form -- it's harder to fool you.
Cons:
- A password in the URL? Looks scary, huh? But it will be
encrypted over the wire with SSL, so from a protocol standpoint
it is just as safe as submitting a password in a form. We
already have to trust the provider anyway to treat passwords
with care, and that includes not logging the query parameters.
- Your password will end up in your browser history. But what
does that risk exactly? If bad guys have access to your browser's
profile storage you're already hosed.
- It's just for Firefox users, and slightly geekier ones willing
to follow the setup instructions.
- Watch out for shoulder surfers, and don't do this while you're
giving a presentation on a projector.
-- ?!ng
More information about the security
mailing list