PC2


Users tend to get annoyed or uncomfortable about such encryption warnings as this one in Firefox:

"Although this page is encrypted, this information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending this information "

If we could get less of those, that would be grand!

Thoughts



Re: Web Authentication - Encrypted/Unencrypted messages

Alex Media


Then you should host your own website on a https-server, so the communication remains secure. Windows Live ID uses SSL for the login-handler-page, and then returns a form to another website. Firefox warns because the form is submitted from SSL to non-SSL, the only option you have is to click [Ignore] and "not show me this again"




Re: Web Authentication - Encrypted/Unencrypted messages

PC2

That's right, but it doesn't have to happen this way. For instance, Yahoo!'s BBAuth uses SSL, but doesn't do this. Maybe it's because they redirect their login-handler page

Also, I noticed same issue when logging into regular Windows Live ID an another computer to make this post.





Re: Web Authentication - Encrypted/Unencrypted messages

Alex Media

Hmm, I don't know how Yahoo! does it, since I don't have an Yahoo!-account and I don't want to create one for testing this. It might be possible that Yahoo! authenticates the user first, then redirects them to a non-SSL-page to submit the token, I don't know exactly.