comments inlined On Mon, Mar 24, 2008 at 2:43 PM, Steven Rakick <[EMAIL PROTECTED]> wrote: > Let's be realistic here. It's not about the technical > feasibility, it's about an open standard people trust > and have bought into. This is what Information Cards > are in my mind, much the same as OpenID. > > Sure you could go out and create an extension to serve > the same purpose in your own way, but who would trust > it? I mean PDP is known for javascript port scanning > via XSS (i know you've done more but...), not > authentication. >
what do u mean by saying "not authentication", and how is that related to the topic? and why wouldn't you trust it? :) do you code everything yourself so that you trust it? I am just curious to understand what do you mean, that's all. > > My point is simple. With OpenID + Information Cards > much of the security concerns/weaknesses (phishing, > passwords theft/loss) around OpenID as a protocol are > addressed. Sure you still have to trust the provider > (or write your own), but the implementation can be > secure, open and publically accessible using currently > available and supported web technologies. Beemba and > MyOpenID currently do this. > > BTW, Firefox 3 will have support for Information Cards > by default and an extension is available for Firefox 2 > at Codeplex. > > -sr > > On Mon, Mar 24, 2008 at 5:25 AM, Petko D. Petkov > > <[EMAIL PROTECTED]> wrote: > > > > Let's put it this way, > > > > It is easy to prevent phishing attacks against > OpenID on the > > client-side with browser extensions. In fact, I > think that Firefox > > will make this feature a default in their upcoming > versions. It could > > work exactly the same as the current trusted > certificate authorities > > every single web browser comes with. You will have a > list of trusted > > OpenID providers domains which are also > cross-matched with their SSL > > certificates and URLs. Done! > > > > If firefox is not planning to implement this > feature, heck I will code > > it myself. This is a hello world XUL extension. > > > > pdp > > > > > > On Sun, Mar 23, 2008 at 11:16 PM, Steven Rakick > <[EMAIL PROTECTED]> wrote: > > > Many of you have brought up that OpenID is > vulnerable > > > to phishing and have highlighted weaknesses > specific > > > traditional username/password authentication. > > > > > > This was the main reason I bought up Information > Cards > > > in my original post. I've noticed that Beemba > > > (http://www.beemba.com) and MyOpenID > > > (http://www.myopenid.com) have both implemented > > > Information Cards as an authentication option. > > > > > > Good idea? > > > > > > It seems to me that if you were to rely on > Information > > > Cards as opposed to username/password the > phishing > > > angle is mitigated. Is this not the case? > > > > > > -sr > > > > > > > > > > > > > > ____________________________________________________________________________________ > > > Be a better friend, newshound, and > > > know-it-all with Yahoo! Mobile. Try it now. > http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > > > > > > > > > > _______________________________________________ > > > > Full-Disclosure - We believe in it. > > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - > http://secunia.com/ > > > > > > > > > > > -- > > > > > Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin > Hunters > > > > gnucitizen.org | hakiri.org | spinhunters.org > > > > > _______________________________________________ > > > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - > http://secunia.com/ > > > > > > > ____________________________________________________________________________________ > Never miss a thing. Make Yahoo your home page. > http://www.yahoo.com/r/hs > > _______________________________________________ > > > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
