Still totally unhappy about the phishing issues, which I blogged
about here:
http://www.links.org/?p=187
I have a proposal which I think could greatly reduce the risk of
phishing: identity providers should /never/ display their login form
(or a link to the form) on a page that has been redirected to by an
OpenID consumer.
Instead, they should instruct the user to navigate to the login page
themselves. The login page should have a short, memorable URL and
users should be encouraged to bookmark it themselves when they sign
up for the provider. The OpenID landing page then becomes an
opportunity to help protect users against phishing rather than just
being a vector for the attack.
I've fleshed this out on my blog:
http://simonwillison.net/2007/Jan/19/phishing/
Does that sound workable?
One of the greatest strengths of OpenID is the ability for website operators
to lower the barrier to engagement ... User shows up, user enters OpenID,
user is then immediately participating in discussion/posts/comments/etc.
I'm afraid this proposal takes away from that by forcing the user to lose
the flow ... Of course its that flow that is the problem in terms of
phishing.
What if the OP cataloged where you just came from and then presented the
screen that you mention? The user is asked to navigate via a bookmark or
entering the URL in the location bar and then upon logging in is presented
with a link back to the site they just came from. Then the user can quickly
engage and the site can still kick of the SREG mojo instead of having to go
_back_ to the site in question to re-initiate the login.
Would that work or am I missing something obvious?
- Scott
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
