[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)
Mike Beltzner
beltzner at mozilla.com
Fri Jan 19 07:25:54 PST 2007
On 19-Jan-07, at 10:19 AM, George Fletcher wrote:
> My concern with this is that it requires users to allow persistent
> cookies. This seems inherently insecure, what with hacks to read
> stored cookies, etc. I pretty much only allow cookies for a
> session (and hence pretty much just use firefox or camino nightly
> builds that support this functionality). For the majority of
> users, knowing when it is ok to allow persistent cookies and when
> not to is going to be way to complicated to deal with.
>
> Maybe the OpenID/Mozilla integration could address this by allowing
> persistent cookies for the OpenID Providers registered with the
> browser.
Why cookies? They're so 1990. ;) Let's take advantage of the client-
side persistent object storage APIs introduced in Gecko 1.8.1/Firefox
2 that are specified by the WHATWG Web Applications 1.0 standard[1],
which domain-scopes and everything.
cheers,
mike
[1]: http://www.whatwg.org/specs/web-apps/current-work/#storage
>
> Thanks,
> George
>
> Marcin Jagodziński wrote:
>> I don't think it will work, sorry. While this prevents phishing,
>> this also prevents OpenID from mass adoption. People are lazy,
>> they don't want do type anything. That of course my humble
>> opinion. Another idea: what about permanent cookie set by OP?
>> Phished OP cannot access it. The cookie can contain some info
>> provided by user (eg. title of his favourite song, his favorite
>> quote). If cookie can be read, the content of it is displayed
>> ("Hello johndoe, your favorite song is Yellow Submarine, please
>> login below"), if not "Hello johndoe, we cannot recognize you,
>> please check location bar and SSL certificate... etc") What do you
>> think about it? regards, Marcin 2007/1/19, Simon Willison
>> <simon at simonwillison.net>:
>>> On 19 Jan 2007, at 14:19, Ben Laurie wrote:
>>>> Still totally unhappy about the phishing issues, which I blogged
>>>> about here: http://www.links.org/?p=187
>>> I have a proposal which I think could greatly reduce the risk of
>>> phishing: identity providers should /never/ display their login
>>> form (or a link to the form) on a page that has been redirected
>>> to by an OpenID consumer. Instead, they should instruct the user
>>> to navigate to the login page themselves. The login page should
>>> have a short, memorable URL and users should be encouraged to
>>> bookmark it themselves when they sign up for the provider. The
>>> OpenID "landing page" then becomes an opportunity to help protect
>>> users against phishing rather than just being a vector for the
>>> attack. I've fleshed this out on my blog: http://
>>> simonwillison.net/2007/Jan/19/phishing/ Does that sound workable?
>>> Cheers, Simon _______________________________________________
>>> general mailing list general at openid.net http://openid.net/mailman/
>>> listinfo/general
>> _______________________________________________ general mailing
>> list general at openid.net http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list