Address Bar
jDavid
jdavid.net at gmail.com
Thu Mar 26 00:23:49 UTC 2009
I wonder if the story for HTTPS/SSL is a good one for us to look at?
or did it just happen so early in browser life that it was easy?
2009/3/25 Johannes Ernst <jernst+openid.net at netmesh.us>
> This is really interesting.
>
> It seems to me that we are struggling with a problem that is in no way
> specific to OpenID. It sounds like we should try and get everybody in a room
> that has the same problem -- like Visa in this example -- regardless of
> whether they have ever heard of or like OpenID, and come up with:
>
> 1. this is the best we can do with existing browsers, and we all educate
> the user the same way about the flow
>
> 2. a wish list for the browser companies how to offer better browser
> support natively for this particular pattern. Some generic pattern markup
> (not OpenID-specific, but for the redirect pattern) might be advantageous.
>
>
>
>
>
> On Mar 25, 2009, at 10:57, Martin Atkins wrote:
>
> Allen Tom wrote:
>>
>>> Do you have more details about the verified by visa process? I'm not
>>> familiar with it.
>>> I actually bought something online this morning, and I noticed that the
>>> merchant's checkout confirmation page mentioned something about portions of
>>> the screen being rendered by my credit card issuer in an iframe, which I
>>> thought was a weird thing to tell to the end user.
>>>
>>
>> I'm by no means an expert on 3D-Secure (which is the technology underlying
>> Verified By Visa), but the flow seems very similar to OpenID:
>>
>> * Merchant does "discovery" on your credit card to find out who your
>> provider is.
>>
>> * Merchant sends you to that provider where the provider authenticates you
>> by some means -- in my case, I get asked to enter three letters out of a
>> secret word and some other security questions, but I assume this varies from
>> provider to provider -- and sends an assertion back to the merchant.
>>
>> * The merchant recieves the assertion and processes the transaction.
>>
>> The ever-reliable Wikipedia tells me that the Verified By Visa brand of
>> the protocol recommends loading the provider's UI in an iframe in order to
>> *stop* users seeing the address bar, because many savvy users mistook it for
>> a phishing scam:
>> http://ambrand.com/2006/09/06/is-securesuitecouk-a-phishing-scam/
>>
>> (one might argue that this would be less of an issue if the issuing banks
>> served the data in their own domain rather than outsourcing it, but I
>> digress.)
>>
>> The "criticism" section of the Wikipedia page on 3D-secure details a bunch
>> of problems that OpenID implementors have also encountered.
>>
>> _______________________________________________
>> user-experience mailing list
>> user-experience at openid.net
>> http://openid.net/mailman/listinfo/user-experience
>>
>
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
>
> http://netmesh.info/jernst
>
>
>
>
> _______________________________________________
> user-experience mailing list
> user-experience at openid.net
> http://openid.net/mailman/listinfo/user-experience
>
>
--
--
Justin Kruger -- Sr. Software Engineer - MySpace MDP
http://jDavid.net
jDavid.net at gmail.com
Anton Freeman: Vincent! How are you doing this Vincent? How have you done
any of this? We have to go back.
Vincent: It's too late for that. We're closer to the other side.
Anton Freeman: What other side? You wanna drown us both?
Vincent: You wanna know how I did it? This is how I did it Anton. I never
saved anything for the swim back.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090325/725a4b14/attachment-0002.htm>
More information about the user-experience
mailing list