You're welcome to lock users out of your site, but I suspect this
trade-off doesn't make sense for most RPs.
Then again, I'm not most RP's. I'm me. Just as in webpage design,
what worked well for others won't necessarily make sense for everyone.
and if their URI *doesn't* use SSL then
the user has an illusion of security, one which may be reinforced by their
OP.
You're making fairly specific assumptions about what the user does and
doesn't understand about security. Without a user study, we have no
way of knowing whether these assumptions are accurate.
I think they understand that SSL is safer (e-commerce, et all).
By "reinforcement" I mean "specific advertisement": if the OP uses
its support of SSL as a feature to attract users, but not educating
the user about how this security measure fits in among the larger
picture, they are effectively misleading the user into a mistaken
idea of how secure they are.
You haven't offered any justification for these very specific
assumptions. I bet they won't hold that widely if you tested them on
real users.
I'm not concerned about "real users" so much as "MY users"; not drawn
from the average pool ;)
-Shade
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
