[wp-hackers] Should OpenID be in WP core?

Martin Fitzpatrick martin.fitzpatrick at gmail.com
Sun Mar 11 17:57:46 GMT 2007

On 09/03/07, Mark Jaquith <mark.wordpress at txfx.net> wrote:
> On Mar 8, 2007, at 10:17 PM, Matt Mullenweg wrote:
> > * If I hadn't been logged in:
> > 1. The page tells me I'm not logged in, but doesn't give me a link
> > to login because of phishing. I'm asked to go to a bookmark or type
> > in WordPress.com.
> > 2. I type in the URL to login.
> > 3. After I login and it redirects me to my admin page, a little
> > notice says there's a openid thingy in progress, and has a link.
> > 4. If I click the link it puts me back to #2 above.
> This is an interesting solution to the phishing problem.  I wonder
> how effective it will be.  It's pretty much counting on people
> getting so used to having to type in the address to get the login
> form that internal alarms will go off if they see a WP.com OpenID
> login form without having first manually typed the address or clicked
> their bookmarklet.

I'm suprised there isn't a "secret message" "these are the x and x
characters in your password" (or similar) style protection in use
instead. It would seem less hassle (and as secure?) to displays a
message known only to the user / OpenID so the *server* can confirm it
is the real thing to the user. This is one of those places where the
trust needs to be proved in both directions...


More information about the wp-hackers mailing list