There is clearly some demand for a password repository site done right. I myself would like a simple system that automatically saves/restores my information using a bookmarklet and allows me to login to the service with my OpenID. One fairly bad example is Clipperz which I was referred to by the creator (Marco Barulli) who I actually didn’t meet but did photograph at OpenCoffee.
The problem of Clipperz is probably not the technique, but definitely the way it was presented (although I do wonder if saving all the secure information in your browser is that save). The Clipperz site gives me a very big *nix feel as it keeps stating what kind of crypto technology is behind it, uses concepts like cards to save scripts, and requires users to “review their code”.
From a user perspective the whole work flow is very tedious, amazingly complex, and really doesn’t provide a single-click sign-on. I think the concept is very good and probably more secure than my idea, but I think they really need a designer and usability expert to help them enable simple users to use this. I did get some nice information about how a system like this works so if will ever implement my own system than I will use some of these basic concepts.
Related Posts:
- None
Add Comment | TrackBack | Comments feed
My favourite OpenID provider MyOpenID.com has recently launced a new look. I noticed it when I wanted to use my OpenID while I was not loged in yet to the server. There used to be a very ugly, grey, screen that would tell you to log in and I remember thinking that most people wouldn’t understand the page or trust it. The new page is very nice and has recognizable colours and branding.
Related Posts:
- None
Add Comment | TrackBack | Comments feed
I was wondering if it isn´t possible to combine techniques like OpenID and GenPass to create a sort of OpenID login for sites that don´t actually have an OpenID login.
The idea of a proxy server like this would be to automatically create an account for you on a site that it recognizes and so allowing you to login transparently using your OpenID provider. This idea could be implemented by sites like ClaimID who already provide more than just OpenID. I think it would actually be pretty easy and I might give it a try when I get my MacBook back from Apple. On the other hand maybe Simon Willison should give this a try with his OpenID provider idproxy.net.
Obviously this technique would only be a hack as I believe that any small site should provide an OpenID login. On the other hand, as many sites run the same software (Wordpress, Drupal, etc) it would not be diffucult to create a proxy server that can automatically generate accounts the most common systems on the web if necessary.
Related Posts:
- None
Comments(1) | TrackBack | Comments feed
I am wondering if the following procedure allows people to login with other people’s OpenID. The idea came to me when I heard about someone who made an OpenID server that would return as if the user was logged in no matter what user. Obviously this technique would only be annoying to the person who uses it, but this next one might affect others.
Let me paint you a picture of what I think could be done. I know Alper’s OpenID is http://alper.nl because I can see this on multiple sites and he even told me. Now let’s say I want to log in to his account at some site, without being logged in to his OpenID server. Obviously, when I try to login to that site with his OpenID, it would redirect to his OpenID server, which would not recognize me as a valid user.
Now let’s try something else: What if I would change my Hosts file (/etc/hosts on linux and mac) and make an entry for alper.nl, and have that direct to let’s say localhost? I could probably spoof the website I want to login to that I am redirecting to http://alper.nl while I’m actually not. Now that I have this I could run a server on my localhost that would return a valid response no matter who I am, or I could even delegate to my own OpenID server.
I haven’t tried this out, but I am very interested if there is any protection against these kind of measures. I hope, and expect, there is but I couldn’t find the answer anywhere. I even mailed Simon Willison for his advice, but I haven’t heard anything yet.
Related Posts:
- None
Comments(4) | TrackBack | Comments feed
I had some really serious trouble with my old server (which is still in the Netherlands managed by an ex-housemate) so Alper offered me some space on his DreamHost account. Tonight I managed to move the files but somehow I have some issues with the OpenID login for users. So for now no OpenID login, because I need my sleep.
Update: OpenID “should” work again.
Related Posts:
- None
Add Comment | TrackBack | Comments feed
