OpenID in desktop apps
Christopher St John
ckstjohn at gmail.com
Sun Feb 8 03:48:29 UTC 2009
On Sat, Feb 7, 2009 at 7:33 PM, Chris Messina <chris.messina at gmail.com> wrote:
>
> I wanted to point out a disturbing but insightful trend that I've seen in
> apps, both on the Mac and iPhone lately... essentially embedding a WebKit
> view inside the app for doing delegated authentication. Example:
> http://www.flickr.com/photos/factoryjoe/3260710115/
>
Apps running outside a sandbox have so much access to your machine
that it's silly to begrudge them an embedded WebKit instance. It's like
worrying that somebody with a key to your house might break a window
to get in: sure, technically it is in fact a risk, but it's not something to
worry about.
More specifically, I absolutely guarantee that if I were writing an evil
desktop application I could make it appear to pop up a full browser,
complete with an address bar, that was really wired to the gills to reveal
all your innermost secrets.
Popping users around between a browser and an app is inconvenient
and disconcerting. The delegated authc/authz experience is generally
bad enough without further ruining it for a piece of security theater.
-cks
--
Christopher St. John
http://artofsystems.blogspot.com
More information about the user-experience
mailing list