Just FYI,

With Yahoo and several other providers, you can just enter the provider's address (yahoo.com, for example) as your OpenID, and it will redirect to Yahoo and prompt you for credentials.  This is a good feature if you want to use their long, obfuscated identifiers -- but don't want to remember them.  If you have multiple valid identifiers, it will let you pick which one to send back to the site.

I know it might seem like a good idea to whoever is designing your web page, but do not ever, for any reason, use the ubiquitous lock icon and put next to it “This site is secure.”  Think about it for a minute – if you don’t get “why shouldn’t I do this,” then keep reading.

Lets say I am a phisher, and pretend that I am trying to fake users into clicking your link.  Where is the one place they can safely look to be 99.97% sure that they have reached a secure site and, more importantly, have reached your site in particular?  The lock icon, built-into the browser.  On Internet Explorer 7 and 8, it’s shown up at the top of the window like this (many other browsers follow this same pattern as well):

That tells me that I am hitting gemoney.com.  It gives me an icon I can click on to see who thinks it is General Electric Company, like so:

Additionally, the bar changed color to tell me that it is an EV certificate, issued to corporation like banks, and that it met the requirements set forth for those kinds of certificates.

Now, here’s what you should never ever do coming up:

Just to show how safe it is:

“   This site is secure”

Instead what the should have there is, roughly:

“Look for the lock icon on your browser address or status bar, to be certain you are connected to our website.  On newer web browsers, the address bar should be green and should identify us as “General Electric Company.””

Do not duplicate browser UI that is going to identify if a site is secure or not in the web page.  When you do that, it makes it easier to lure users into submitting information to a fake website.  Instead, point them towards where the information appears on their browser, and have them look there.  Let the browser do its job and protect the user.

Also, I find it ironic that while PayPal Buyer Credit is run by GE Money Bank, you can’t pay it from your PayPal balance, and you can’t set up automatic transfers either way.  Just seems like if I were doing a credit service for PayPal, I would run the transfers both way.

The main paypal website links to Verisign instead of displaying this widget, and also includes the verisign site seal.  I don’t agree with the site seals either, incidentally, because they are also too easy to fake.