undefined | Better HN

0 pointstalos11y ago0 comments

Yeah, but those sites don't have people enter in their login/password until after they've been forwarded to an `amazon.com` or `paypal.com` domain. Try it. This is encouraging users to engage in fundamentally unsafe behavior (enter credentials for site A on site B because site B looks like site A).

0 comments

3 comments · 1 top-level

aioprisan11y ago· 2 in thread

Google Wallet does the same thing as Stripe checkout with the overlay: https://www.humblebundle.com/ Is the URL inspection the best way to make sure you're going to the right site? I know that for us deeply technical folks that's the case, but for someone less technical, they wouldn't know the difference between one URL redirect vs. another.

talosOP11y ago

Not quite. If you're not logged in, Google Wallet will open a popup (as opposed to a JS modal overlay), clearly identified as "https://accounts.google.com", prompting you to enter your username and password. The username and password are never entered under the same URL bar as the 3rd party site.

If Braintree's checkout process opened a popup window, with a clear URL bar, into which the user entered their username/password, then this would not be a problem.

pbcoronel11y ago

This is Pedro, one of the developers at Braintree who worked on this product. Security is our top priority which is why we will show a pop-up window hosted on a PayPal domain in the environments that support it. We are incrementally rolling this feature out. Here's more info about this particular issue: https://developers.braintreepayments.com/javascript+ruby/sdk...

1 more reply

j / k navigate · click thread line to collapse