OpenID in desktop apps

chris.messina at gmail.com chris.messina at gmail.com
Sun Feb 8 23:27:07 UTC 2009


Interesting... I'm certainly sympathetic to that point.

Still, curious if that's good enough for OP's and service providers...

Ultimately there isn't much difference here than being able to access
your bank account from a third party ATM. If the box is p0wned, you're
screwed anyway, so I'm curious how that situation evolved.

Is it possible only because of business deals? It's not like the
distributed web where anyone can launch a new app/service and ask for
people's credentials (see: Twply).

Ultimately, does it matter? And does it really just come down to
creating better overall experiences, security be damned?

Chris

On 2/8/09, Darren Bounds <darren at cliqset.com> wrote:
> Just to reiterate what I had said in a previous post regarding
> UIWebView. There's really no point concerning yourself with phishing
> when the application already owns the pond.
>
> In most cases an application launching an embedded user-agent with
> custom chrome doesn't need to phish. They more than likely already
> have access to the request and response payload (as is the case with
> UIWebView), even when they're sending you to the legitimate Facebook
> site.
>
> Darren
>
> On Sat, Feb 7, 2009 at 8:33 PM, Chris Messina <chris.messina at gmail.com>
> wrote:
>> I highly recommend that all those whom I cc'd join the user-experience
>> list
>> at OpenID if you haven't already:
>> http://openid.net/mailman/listinfo/user-experience
>>
>> I wanted to point out a disturbing but insightful trend that I've seen in
>> apps, both on the Mac and iPhone lately... essentially embedding a WebKit
>> view inside the app for doing delegated authentication. Example:
>> http://www.flickr.com/photos/factoryjoe/3260710115/
>>
>> Without the URL bar (presuming that the URL bar hasn't been tampered
>> with),
>> it's impossible to know who is hosting this page. Facebook is also
>> none-the-wiser about whether this experience is taking place from within
>> the
>> browser or within some custom app. I also don't see how this can be
>> stopped.
>> I'd like to hear your thoughts about this, given our desire to push the
>> popup experience forward, mandating, I presume, visibility of the URL bar
>> in
>> these flows.
>> Chris
>> --
>> Chris Messina
>> Citizen-Participant &
>>  Open Web Advocate-at-Large
>>
>> factoryjoe.com # diso-project.org
>> citizenagency.com # vidoop.com
>> This email is:   [X] bloggable    [ ] ask first   [ ] private
>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>>
>>
>
>
>
> --
> darren bounds
> darren at cliqset.com
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>


-- 
Chris Messina
Citizen-Participant &
  Open Web Advocate-at-Large

factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private



More information about the user-experience mailing list