On Tue, Jan 6, 2009 at 4:35 AM, Chris Heilmann <[email protected]> wrote: > >> > > It is more troubling if people don't log out at the end of a session. > Paranoia is never a good thing. If you leave things logged in, you are > vulnerable. > >
Are you suggesting that I continually sign in/out of my gmail/twitter tabs in firefox when I switch between the two? Yes, that would enhance my security/privacy (I suppose), but this is not how an average user functions. As for "why would a user re-log into twitter [on a phishing site]?" You could easily put up a fake error message like "Your session has expired", or "There has been an error, please log in again." Phishing is not my primary concern for this thread (tho it is still an issue), my primary concern is with tightly tracking users that visit sites. I could keep a list of visitors to my site stored in a database, or, even more creepy, as soon as anyone landed on my site, I could send a tweet from some account that says "@user hello! thanks for dropping by mysite.com! Hope you enjoyed it!" How many people *wouldn't* be freaked out by that? (In fact, I should try that and see what kind of reaction it generates...) Even sites that have nothing to do with twitter could employ this technique to learn about their visitors. At least with normal tracking/analytic methods there is still an abstraction of anonymity like an IP address or a location/region. This just amps the magnification on the microscope. I'll blame hammers for sore thumbs when the heads are way too big for the nails. -Chad
