[OpenID] Another Anti-Phishing Scheme for OpenID

Bob Wyman bob at wyman.us
Sat Feb 3 17:17:58 UTC 2007


On 2/3/07, Aswath Rao <aswathr at hotmail.com> wrote:> I have a proposal for a
login ceremony that could drastically reduce
>phishing attacks. I would appreciate feedback from you.
> http://www.mocaedu.com/mt/archives/000287.html

What you describe is an "in-chrome" solution -- i.e. one that involves a
modification  to the browser in the form of either a plug-in or built-in
code. This class of solutions is, I think, the correct path to take. Most of
the other approaches that have been proposed can be described as
"work-arounds" to the fact that such in-chrome solutions are not deployed.

Folk tend to avoid specifying in-chrome solutions since they are all too
well aware that as the number of suppliers of browsers has been reduced, the
amount of browser innovation has been seriously reduced. Certainly, the
proponents of these often ugly work-arounds have a point, however, I think
we should bite the bullet and accept that in-chrome solutions are
technically the best and also those that offer the best potential for good
user experiences. Instead of seeking more work-arounds, we should be
focusing on the political problem of figuring out how do we get the browser
developers to deliver the tools we require to provide a safe browsing
experience.

bob wyman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070203/a70f358b/attachment-0002.htm>


More information about the general mailing list