Open Connect - A UX proposal for the OpenStack
Alexandru Popescu ☀
the.mindstorm.mailinglist at gmail.com
Thu Dec 18 16:44:28 UTC 2008
On Thu, Dec 18, 2008 at 12:42 PM, Steven Livingstone-Perez
<weblivz at hotmail.com> wrote:
> I'd like to see something that adds this to a list of trusted sites in the
> browser (built-in or via plug-in). I mean how hard would the logic be to
> figure out if a page is requesting myspace authentication information and
> display a message saying this is NOT myspace.
>
> There must be software that does this already... I have seen lots of
> phishing software but most isn't in the browser and I haven't seen anything
> that interacts with trusted web sites directly so that the official myspace
> signup page could signal that they should be trusted to the browser. Then
> the user could be informed of any attempts to get myspace user
> authentication information.
>
> In other words take the "DON'T LOG IN" message below and make it something
> concrete *in* the browser. My mum would never check the URL (although I
> suspect she's also not one of the top 10 myspace users :) ).
>
> steven
> http://livz.org
>
Steven,
While, I'm tempted to agree with you, I don't think the above is
really possible. And here it is why:
1. it would mean that the number of ID providers is known upfront
2. it would mean that *all* the browsers will include this information
in order to be able to validate it
Now, as you can imagine, both these hypothesis are weak! Just to give
you a short example of why the above hypothesis are weak: the number
of ID providers will change over time and then you will depend on the
browser release cycles and the adoption of the new version. Secondly,
the number of browsers is out of control (who would stop me creating
my FF version or my Safari version and so on). Not to mention, how
long we will have to wait until getting initial support for this.
I do think that at this stage, 'branding' (and this term is used in a
much larger sense then the one in the dictionary) is the only option
and popularizing it with the help of the internet giants may be the
shortest path.
br,
./alex
--
.w( the_mindstorm )p.
Alexandru Popescu
> -----Original Message-----
> From: user-experience-bounces at openid.net
> [mailto:user-experience-bounces at openid.net] On Behalf Of Alexandru Popescu ?
> Sent: 17 December 2008 22:07
> To: OpenID user experience
> Subject: Re: Open Connect - A UX proposal for the OpenStack
>
> On Wed, Dec 17, 2008 at 1:36 AM, Allen Tom <atom at yahoo-inc.com> wrote:
>> I like how MySpace says this on their login screen:
>>
>> Always make sure you're visiting the real myspace.com!
>>
>> Check the URL in your browser.
>> Make sure it begins with http://www.myspace.com/
>> If ANY OTHER PAGE asks for your info, DON'T LOG IN!
>>
>
> That is indeed a good idea, but the message is too long and will need
> careful design to be sure that the end-user (probably non-tech) will
> actually read it. We might need to symbolize the above steps in some
> sort of icon that is part of the OpenID 'brand'.
>
> ./alex
> --
> .w( the_mindstorm )p.
> Alexandru Popescu
>
>
>>
>>
>> oseph A Holsten wrote:
>>
>> Agreed. It is vital that, in the absence of ibid, the user check the OP
> url.
>> A warning of that sort would have to go on the RP's page of the flow. But
>> the RP is probably the one trying to spoof the user.
>>
>> I think the best tactic is then to get respectable RPs to mention it so
>> checking becomes second nature. Has anyone put together a really
> effective
>> blurb to tell users how to check the URL? How about a box like
>> http://www.flickr.com/photos/josephholsten/3107919243/
>>
>> ________________________________
>>
>>
>> http://josephholsten.com
>>
>>
>> On Dec 14, 2008, at 3:05 PM, David Fuelling wrote:
>>
>> Hi Sebastian,
>>
>> I love your mockups! Great ideas!
>>
>> The only flaw is the whole "password" bit, though I think this is a flaw
>> with Facebook's solutions as well. For people that use Facebook a lot,
> and
>> also start connecting to other websites using Facebook Connect, the
>> potential for phishing seems very high -- If I'm not already logged-in to
> my
>> Facebook account, and I try to "Connect" using Facebook, I'm asked for my
>> Facebook email address/password. This is not good. In the future, once
>> Facebook Connect becomes very familiar to people, it will be easy to phish
>> this type of thing (on my popup window for facebook, the URL is
>> "http://www.connect.facebook.com/lo...", the rest of which is cut-off).
> Most
>> people won't bother to look and see what the rest of the URL says (it
> could
>> be http://www.connect.facebook.com.lookout.com").
>>
>> I think your UI workflow will have the same problems as Facebook Connect.
>> So, is there a way to utliize the workflow you propose, but if the user
>> isn't logged-in to their OP, then take them to their OP's login page
>> (which would involve a redirect). I know it's not an ideal "flow", but my
>> feeling
>> is that Facebook's connect popup (or Open Connect's popup) will be easily
>> phishable in its current form that asks for a password to be entered.
>>
>> Overall, though, I think your flow is pretty cool!
>>
>> David
>>
>> On Sun, Dec 14, 2008 at 5:46 PM, Sebastian <pixelsebi at me.com> wrote:
>> Hi UX list,
>>
>> I have created a few mockups over the weekend to illustrate a UX
>> proposal, which just adapts the Facebook Connect design-pattern for
>> the OpenStack:
>>
>>
> http://pixelsebi.com/2008-12-14/open-connect-a-ux-proposal-for-the-openstack
> /
>>
>> Looking forward to get your feedback!
>>
>> Best Regards,
>> Sebastian
>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>>
>> ________________________________
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>>
>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>>
>>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>
More information about the user-experience
mailing list