Plaxo and OpenID (Problem 2)

Plaxo upgraded their OpenID libraries a while ago and this gave some issues. Those are fixed now, thank you Plaxo.

Now that I am blogging about Plaxo’s OpenID support, let me start the second problem I have. Each time I receive an invitation to connect to someone I know at Plaxo, Plaxo shows a different URL to identify itself at my OpenID provider (MyOpenID). We are talking long and complex URL’s containing numerous GET parameters.

The result is that the list of known URL’s at my OpenID provider is getting longer and longer every day and Plaxo is already taking up over 60% of that list. The screenshot below shows a subset of this list:

Plaxo OpenID URLs

I don’t know if this is by (OpenID) design or not. What I do know is that when I have to accept a site, identified by a long and complex url, requesting my information, I don’t really know if I should accept or not. This makes phishing a little easier to do, just throw a complex URL at the user, he can’t validate it anyway. To make matters worse, MyOpenID layout does not even show the entire URL to me, it clips of in the initial screen where I can “Allow Always”, “Allow Once” or “Deny” and in the list of sites I took action on.

Share

One thought on “Plaxo and OpenID (Problem 2)

  1. Turns out this is actually easy to fix on our end (as I learned at IIW this week). If we just pass a “trust_root” of “www.plaxo.com” to the OpenID provider, it won’t show the crazy URL, and it will also mean if you say “always trust” Plaxo, you will only have to log in once to access anything on Plaxo. So expect that fix soon. Thanks for the feedback! js

Leave a Reply