My point is that a picture and phrase would provide a false sense of security, since a phishing site could request it on the user's behalf, display it, collect the user's input, and post it to the OpenID server. By providing a false sense of security, the picture could be worse than doing nothing. The only possible defense is for the user to notice that the page has been decrypted. A simple warning not to submit the form unless the secure icon is shown in the browser would be the best security. On Nov 7, 2007, at 10:41 AM, Walt Daniels wrote:
I have no doubt that the hackers will find ways around almost anything we (or anybody else) does to prevent phishing. There is no possibility of overestimating the stupidity of our users in ignoring all the best that we can offer. My proposal is a simple to implement step in the right direction (supplemented by server side heavier duty security). It doesn't change the user behavior too much to be annoying. One can always make things more secure by introducing more and more complication.