[OpenID] [marketing] Fwd: OpenID Spoofing

Chris Messina chris.messina at gmail.com
Fri Jan 12 08:05:56 UTC 2007


This is also not unique to OpenID. It's a problem with any remote
login system -- even local logins (see MySpace).

Seems to me it's documenting best practices, educating folks, and
getting friends to look out for one another. Surprise surprise,
technology can't solve all problems.

;)

Chris

On 1/11/07, Martin Atkins <mart at degeneration.co.uk> wrote:
> ydnar wrote:
> > You could visit a malicious site that spoofs your IDP, trolling for
> > login info:
> >
> > 1. Visit site Foo and attempt to log in using OpenID.
> > 2. Site Foo notices you input a LiveJournal URL, and sends you to a
> > spoofed LJ login page.
> > 3. You enter your LJ credentials and are redirected back to site Foo.
> > The spoof site now has your LJ credentials.
> >
>
> I think we're already pretty aware of the OP "phishing" attack. The best
> solution for now is browser extensions that allow the user to
> unambiguously check to see if the current site is their OP. I understand
> that there's currently an experimental Firefox extension out there for
> doing exactly that, though off the top of my head I can't remember the
> name of it.
>
> Obviously better solutions would be nice moving forward, but I don't
> think we're in that bad a place right now.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>


-- 
Chris Messina
Citizen Provocateur &
  Open Source Ambassador-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412 225-1051
Skype: factoryjoe
This email is:   [ ] bloggable    [X] ask first   [ ] private



More information about the general mailing list