Sure — but you're the user I'm worried about — I'm worried about the folks who are susceptible to phishing and other exploits — who will put their password into any username/password combo...<div><br></div><div>
How do protect them? Can we? Should we bother trying?<br><br><div class="gmail_quote">On Mon, Sep 21, 2009 at 4:10 PM, David Recordon <span dir="ltr"><<a href="mailto:recordond@gmail.com">recordond@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hey Darren,<br>
Yeah, you're right. My philosophy is that I'd rather give an<br>
application which I trust to some degree my password once and have it<br>
throw it away, rather than either a poor user experience bouncing me<br>
through a browser or it keeping my password forever.<br>
<font color="#888888"><br>
--David<br>
</font><div><div></div><div class="h5"><br>
On Mon, Sep 21, 2009 at 4:02 PM, Darren Bounds <<a href="mailto:darren@cliqset.com">darren@cliqset.com</a>> wrote:<br>
> Hey David,<br>
><br>
> Not speaking about iframes specifically in this case but rather the<br>
> fact that the use if UIWebView controls being used within iPhone<br>
> applications is generally considered 'ok' for OAuth handshakes. Both<br>
> suffer from credential interception weaknesses and rely on user trust<br>
> due to the lack of a visible address bar.<br>
><br>
> Darren<br>
><br>
><br>
> On Mon, Sep 21, 2009 at 6:36 PM, David Recordon <<a href="mailto:recordond@gmail.com">recordond@gmail.com</a>> wrote:<br>
>> Hey Darren,<br>
>> I'm confused. The OAuth protocol doesn't use embedded iframes either.<br>
>> It supports redirects like OpenID and now via the OpenID User<br>
>> Experience Extension combined with the OpenID and OAuth Hybrid<br>
>> protocol, popups.<br>
>><br>
>> --David<br>
>><br>
>> On Mon, Sep 21, 2009 at 1:28 PM, Darren Bounds <<a href="mailto:dbounds@gmail.com">dbounds@gmail.com</a>> wrote:<br>
>>> I find it curious that these compromises have been embraced by the<br>
>>> OAuth community to support a greater UX but they are not being<br>
>>> embraced by OpenID. After all, isn't an iPhone UIWebView control just<br>
>>> a different type of iFrame? You're still trusting parent application<br>
>>> not to do something malicious.<br>
>>><br>
>>> On Mon, Sep 21, 2009 at 12:24 PM, Chris Messina <<a href="mailto:chris.messina@gmail.com">chris.messina@gmail.com</a>> wrote:<br>
>>>> 2009/9/21 Steven Livingstone Pérez <<a href="mailto:weblivz@hotmail.com">weblivz@hotmail.com</a>><br>
>>>>><br>
>>>>> I would have thought an IFrame injected into the page woudn't cause popup<br>
>>>>> issues.<br>
>>>><br>
>>>> Injected iframes are a bad idea — especially ones that ask you to enter your<br>
>>>> credentials.<br>
>>>> Indeed, while the injected iframe approach has certainly usability benefits<br>
>>>> (i.e. no new windows to lose track of) they present untenable security<br>
>>>> issues that, ultimately, mean that they cannot be used.<br>
>>>> Facebook has been somewhat erratic in its enforcement of the popup flow —<br>
>>>> making exceptions for certain partners. The problem is not the good actors<br>
>>>> who implement the technology correctly, though, it's that users don't<br>
>>>> develop an expectation to look for the popup, which affords them certain<br>
>>>> security-enhancing signals, like the URL bar, the presence of the HTTPS<br>
>>>> indicator and so on.<br>
>>>> Even if most people ignore these things, for those who *know* to inspect<br>
>>>> them, the popup is an order of magnitude more security-preserving.<br>
>>>><br>
>>>>><br>
>>>>> Is the popups generally going to be new window instances? I'd be surprised<br>
>>>>> if the is the suggested way.<br>
>>>><br>
>>>> I think we'll go through a transitional period. The big OpenID provider<br>
>>>> would likely prefer the popup method — which is less obtrusive than the full<br>
>>>> window redirect, which can be confusing for some users.<br>
>>>> More usability research is needed here — and that research needs to be<br>
>>>> shared with the wider community so that we understand what the typical user<br>
>>>> mental model is of signing in — and whether they can comprehend why they're<br>
>>>> sent back to their provider, rather than logged in directly.<br>
>>>> Chris<br>
>>>><br>
>>>>><br>
>>>>> steven<br>
>>>>> <a href="http://livz.org" target="_blank">http://livz.org</a><br>
>>>>><br>
>>>>> ________________________________<br>
>>>>> Date: Sun, 20 Sep 2009 17:38:19 -0700<br>
>>>>> Subject: Re: Popup flow<br>
>>>>> From: <a href="mailto:chris.messina@gmail.com">chris.messina@gmail.com</a><br>
>>>>> To: <a href="mailto:openid-user-experience@lists.openid.net">openid-user-experience@lists.openid.net</a><br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>> On Sun, Sep 20, 2009 at 1:12 PM, Jonathan Coffman<br>
>>>>> <<a href="mailto:jonathan.coffman@gmail.com">jonathan.coffman@gmail.com</a>> wrote:<br>
>>>>><br>
>>>>> Are there concerns over users with ad-blockers or pop-up blockers and<br>
>>>>> being able to reach the OpenID flow?<br>
>>>>><br>
>>>>> There are some, yes. This needs to be widely tested, but we're able to get<br>
>>>>> around (read: interact with correctly) because the pop-up is launched by<br>
>>>>> user action, rather than automatically.<br>
>>>>> Facebook seems to use this method without a problem, so perhaps Luke has<br>
>>>>> some insights.<br>
>>>>> Chris<br>
>>>>><br>
>>>>><br>
>>>>> On Sep 19, 2009, at 11:32 PM, Allen Tom wrote:<br>
>>>>><br>
>>>>> Jonathan Coffman wrote:<br>
>>>>><br>
>>>>> In seeing Yahoo's announcement of their pop-up flow, and Google's previous<br>
>>>>> migration -- is this quickly becoming the defacto standard?<br>
>>>>><br>
>>>>> Hi Jonathan,<br>
>>>>><br>
>>>>> Yahoo's usability testing indicates that the new OpenID popup flow<br>
>>>>> performs better than then old redirect flow, and this is also consistent<br>
>>>>> with Facebook's experience with Connect.<br>
>>>>><br>
>>>>> The popup flow is currently an extension, meaning that it's optional, and<br>
>>>>> it's the RP's choice to invoke either the popup or redirect. If you have the<br>
>>>>> resources to experiment with both flows in a production environment,<br>
>>>>> definitely everyone would be very interested in the results.<br>
>>>>><br>
>>>>> Some of my stakeholders are asking for a templated/co-branded experience<br>
>>>>> so that users, when redirected, see a logo, etc from the RP on the<br>
>>>>> sign-up/log-in page for our OP. Obviously, that's not too difficult to do<br>
>>>>> but I feel like the whole argument might be overcome with a simplified OP<br>
>>>>> design by utilizing the popup draft spec.<br>
>>>>><br>
>>>>> Section 6 in the Draft User Interface spec defines a mechanism for the RP<br>
>>>>> to pass its logos to the OP. Showing the RP's logos to the user on the OP's<br>
>>>>> approval/login screens definitely is very helpful to users, and feedback<br>
>>>>> from our testers in our usability labs was overwhelmingly positive when we<br>
>>>>> did this.<br>
>>>>><br>
>>>>> Speaking on behalf of Yahoo, there are issues with displaying metadata<br>
>>>>> about the RP that was not manually reviewed for correctness by the OP. For<br>
>>>>> instance, the RP could be a malicious site that is pretending to be a<br>
>>>>> trusted site, such as a bank. The malicious RP could misrepresent itself by<br>
>>>>> passing the bank logo to the OP.<br>
>>>>><br>
>>>>> Other OPs that are planning to supporting the RP Icons portion of the UI<br>
>>>>> Extension may have other opinions about how important it is for OPs to<br>
>>>>> manually verify the RP's logos before displaying them to the user.<br>
>>>>><br>
>>>>> An alternative approach for having the RP pass metadata about itself to<br>
>>>>> the OP (including icons, name, description) would be to use the OpenID OAuth<br>
>>>>> Hybrid Extension, and have all the RP metadata bound to the RP's OAuth<br>
>>>>> consumer_key. Most OAuth service providers usually have certain<br>
>>>>> business/legal criteria to issue an OAuth consumer_key, and in Yahoo's case,<br>
>>>>> business partners are allowed to have logos assocaited with their consumer<br>
>>>>> key, and all of these logos are manually reviewed before being enabled.<br>
>>>>><br>
>>>>> Thanks<br>
>>>>> Allen<br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>> _______________________________________________<br>
>>>>> user-experience mailing list<br>
>>>>> <a href="mailto:user-experience@lists.openid.net">user-experience@lists.openid.net</a><br>
>>>>> <a href="http://lists.openid.net/mailman/listinfo/openid-user-experience" target="_blank">http://lists.openid.net/mailman/listinfo/openid-user-experience</a><br>
>>>>><br>
>>>>> _______________________________________________<br>
>>>>> user-experience mailing list<br>
>>>>> <a href="mailto:user-experience@lists.openid.net">user-experience@lists.openid.net</a><br>
>>>>> <a href="http://lists.openid.net/mailman/listinfo/openid-user-experience" target="_blank">http://lists.openid.net/mailman/listinfo/openid-user-experience</a><br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>> --<br>
>>>>> Chris Messina<br>
>>>>> Open Web Advocate<br>
>>>>><br>
>>>>> Personal: <a href="http://factoryjoe.com" target="_blank">http://factoryjoe.com</a><br>
>>>>> Follow me on Twitter: <a href="http://twitter.com/chrismessina" target="_blank">http://twitter.com/chrismessina</a><br>
>>>>><br>
>>>>> Citizen Agency: <a href="http://citizenagency.com" target="_blank">http://citizenagency.com</a><br>
>>>>> Diso Project: <a href="http://diso-project.org" target="_blank">http://diso-project.org</a><br>
>>>>> OpenID Foundation: <a href="http://openid.net" target="_blank">http://openid.net</a><br>
>>>>><br>
>>>>> This email is: [ ] bloggable [X] ask first [ ] private<br>
>>>>><br>
>>>>> ________________________________<br>
>>>>> Hotmail: Powerful Free email with security by Microsoft. Get it now.<br>
>>>>> _______________________________________________<br>
>>>>> user-experience mailing list<br>
>>>>> <a href="mailto:user-experience@lists.openid.net">user-experience@lists.openid.net</a><br>
>>>>> <a href="http://lists.openid.net/mailman/listinfo/openid-user-experience" target="_blank">http://lists.openid.net/mailman/listinfo/openid-user-experience</a><br>
>>>>><br>
>>>><br>
>>>><br>
>>>><br>
>>>> --<br>
>>>> Chris Messina<br>
>>>> Open Web Advocate<br>
>>>><br>
>>>> Personal: <a href="http://factoryjoe.com" target="_blank">http://factoryjoe.com</a><br>
>>>> Follow me on Twitter: <a href="http://twitter.com/chrismessina" target="_blank">http://twitter.com/chrismessina</a><br>
>>>><br>
>>>> Citizen Agency: <a href="http://citizenagency.com" target="_blank">http://citizenagency.com</a><br>
>>>> Diso Project: <a href="http://diso-project.org" target="_blank">http://diso-project.org</a><br>
>>>> OpenID Foundation: <a href="http://openid.net" target="_blank">http://openid.net</a><br>
>>>><br>
>>>> This email is: [ ] shareable [X] ask first [ ] private<br>
>>>><br>
>>>> _______________________________________________<br>
>>>> user-experience mailing list<br>
>>>> <a href="mailto:user-experience@lists.openid.net">user-experience@lists.openid.net</a><br>
>>>> <a href="http://lists.openid.net/mailman/listinfo/openid-user-experience" target="_blank">http://lists.openid.net/mailman/listinfo/openid-user-experience</a><br>
>>>><br>
>>>><br>
>>><br>
>>><br>
>>><br>
>>> --<br>
>>><br>
>>> Thank you,<br>
>>> Darren Bounds<br>
>>> _______________________________________________<br>
>>> user-experience mailing list<br>
>>> <a href="mailto:user-experience@lists.openid.net">user-experience@lists.openid.net</a><br>
>>> <a href="http://lists.openid.net/mailman/listinfo/openid-user-experience" target="_blank">http://lists.openid.net/mailman/listinfo/openid-user-experience</a><br>
>>><br>
>> _______________________________________________<br>
>> user-experience mailing list<br>
>> <a href="mailto:user-experience@lists.openid.net">user-experience@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-user-experience" target="_blank">http://lists.openid.net/mailman/listinfo/openid-user-experience</a><br>
>><br>
><br>
><br>
><br>
> --<br>
> darren bounds<br>
> <a href="mailto:darren@cliqset.com">darren@cliqset.com</a><br>
> _______________________________________________<br>
> user-experience mailing list<br>
> <a href="mailto:user-experience@lists.openid.net">user-experience@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-user-experience" target="_blank">http://lists.openid.net/mailman/listinfo/openid-user-experience</a><br>
><br>
_______________________________________________<br>
user-experience mailing list<br>
<a href="mailto:user-experience@lists.openid.net">user-experience@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-user-experience" target="_blank">http://lists.openid.net/mailman/listinfo/openid-user-experience</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Open Web Advocate<br><br>Personal: <a href="http://factoryjoe.com">http://factoryjoe.com</a><br>Follow me on Twitter: <a href="http://twitter.com/chrismessina">http://twitter.com/chrismessina</a><br>
<br>Citizen Agency: <a href="http://citizenagency.com">http://citizenagency.com</a><br>Diso Project: <a href="http://diso-project.org">http://diso-project.org</a><br>OpenID Foundation: <a href="http://openid.net">http://openid.net</a><br>
<br>This email is: [ ] shareable [X] ask first [ ] private<br>
</div>