Thanks Fred. I wonder if kids these days are so good at avoiding brands that they are just too disengaged to care?

Ultimately the question will be whether this sort of brand advertising (as opposed to the "thing" advertising that Google does) continues to drive sales the way it once did or if an ever increasing amount of advertising dollars go to intention-based advertising. This is particularly important for the New TV because, as I'll be arguing in my next post, intention-based advertising is nearly impossible for video (because when watching a video, my intention is to be entertained and not interrupted).

I'll be interested to see how your kids (and the rest of us) react to Hulu if the networks try to cram in 18 unskippable ads for 21 minutes of content. I think the networks might realize we're more at war than they think.

Thanks Doc. It's always nice to have a comment that's as (if not more) informative than the original post!

I don't buy the cultural issue. It's more fundamental than that. I DO buy your personal (and to some degree society's) ability to deal with this instinct in myriad, beautiful, and often counter-intuitive ways. That's what makes us great.

I know what the user SHOULD do.  I also know what the user WILL do.  And that's my point.  I believe that users will be more likely to get successfully phished if they get comfortable entering their credentials into redirected sites than they will if they get used to entering their credentials into the sites they are giving access to. 

In the first scenario, your average user will think they can give their credentials to a "somewhat" dubious site that redirects them to a Netflix-like page because they'll be convinced it IS Netflix (regardless of the URL).  In the second scenario, they will at least give a second thought to typing their credentials, because it will at least "feel like" they giving their credentials to THAT site (whether they are in actuality or not).

Your second point is a VERY compelling one though.  I'd hate to have my guys try to hack something together that doesn't work, or if it does, is something Netflix wouldn't be happy with.  Our real job at SetJam is to make online TV easy and that's what we'd like to spend most of our time on.  I'd reconsider your anti-framing stance however.  I think the community has put "should" ahead of "will" in this case, and that's a recipe for disaster.

Btw... because of your suggestion, we're going to do the following:

You need to let Netflix know that you want to use SetJam:

If you've already got a Netflix account <login here>.

If you don't have a Netflix account, <start your 30 day free trial here>.

[smaller] We won't store your Netflix login information, if you'd prefer to enter your login information at Netflix, click here.

Wow Richard!  That is a very simple but smokin' good idea.  I was planning on putting a notification on the iframe stating that we wouldn't be storing user credentials, but adding a "verify" link for the truly paranoid is a great idea.  Thanks!

For a fully secure implementation, this is probably where it has to belong.  This is exactly why iCards works this way.  They problem is that any time you're relying on the browser, you've got to wait for the browser manufacturers to agree to and implement the standard.  And as we all know, that could take a decade (if it ever actually happened).

This is a great reply Simon.  As a technologist and member of the Identity community, I also greatly sympathize with it.  I'm still on the fence about this though.  In fact, I thought about writing a follow up post on why implementing OAuth in an iframe is actually better for security.  Here's my reasoning, and it is only half warped by my desire to give my users an easy experience.

If I (and the community) consistently redirect people to other sites, it is at least plausible that users would find this the "normal" way of doing things and look suspiciously at framed implementations (as they should).  But realistically speaking, what would the user find "normal"?  The answer--going to an entirely other site that LOOKS like their trusted site and typing in their credentials.  The thought that they will pay any attention to the URL is a total pipe dream.

So where does this leave the user?  Perfectly setup for every phishing attack in the world!  On the other hand, with an iframe implementation, what does the user think--I'm trusting THIS site (the relying party) with my authentication credentials.  And this is EXACTLY the site the user should be making the security evaluation about.

Now the community may argue that this defeats the purpose of OAuth and is no different than the user handing out their credentials to the relying party.  It's not though--because I'm NOT storing the user's credentials.  I'm not doing this because I, as the relying party, understand that this reduces MY risk exposure. 

So my point is three-fold:
Redirects may not be teaching users what you think and may actually be teaching them to erroniously believe that when a site looks like their trusted that it is actually is their IP. By authenticating on the RP site, users are making the trust evaluation about the correct site.That all is not lost with this implementation because we've won half the battle by teaching TECHNOLOGISTS how to be an RP and the advantages on NOT storing user credentials.

Good point and something we saw discussed in the OAuth community about this.  Others have managed to pull it off, so hopefully the issues won't be insurmountable.  Knowing my luck, we'll waste some time on it and have to go back to the new window anyway!

Eh... We could, but I feel like the full redirect is even worse than
popping up another window. If the claim holder sites didn't make
their authentication pages so ugly it wouldn't be so bad, but
typically they're just a login box surrounded by a black background!

rj

Sent from my iPhone