MySpace OpenID Popup spotted in the wild

Johannes Ernst at
Fri May 1 17:35:49 UTC 2009

On Apr 30, 2009, at 10:26, Chris Messina wrote:
> On Thu, Apr 30, 2009 at 2:08 AM, David Christiansen <openid-userexperience at 
> > wrote:
> Trying to maintain a 'Can Do Attitude' here but I have personal  
> reservations about going back to the days of browser pop-up windows  
> -...
> This is absolutely critical, as phishing attacks are as prevalent as  
> ever and will becoming increasingly so ...

If we could get the browser developers to add anything we wanted to  
their browsers, what *exactly* would we want them to implement?

This is not outlandish. The Mozilla folks asked repeatedly in the past  
(and we never knew what to say in response) and the security of a  
billion OpenIDs is not a set of user requirements that's easily  
dismissed either.

It appears that it would be some kind of user interface element (think  
"popup" for a minute) that could display the OP's authentication  
ceremony. But where the browser would somehow "certify" that it was  
not a phishing attempt and came from one of the user's trusted OPs. In  
a way that is better than having the user to do a string compare on  
the URL shown in the address bar.

What would such a user interface element look like? That's not limited  
to what we can do without cooperation from the browser guys.

In Firefox, it could be sitting in the side bar for example. (where  
the bookmarks are) Or ...?



Johannes Ernst
NetMesh Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 977 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <>

More information about the user-experience mailing list