[OpenID] [marketing] Fwd: OpenID Spoofing

Chris Messina chris.messina at gmail.com
Fri Jan 12 09:03:03 UTC 2007


Fyi, I'm angling for an OpenID Mash Pit at Mozilla. Details pending
but generally, talk less, build more.

Chris

On 1/12/07, Daniel E. Renfer <Duck at kronkltd.net> wrote:
> On 1/12/07, Dick Hardt <dick at sxip.com> wrote:
> >
> > On 11-Jan-07, at 11:56 PM, Martin Atkins wrote:
> >
> > > ydnar wrote:
> > >> You could visit a malicious site that spoofs your IDP, trolling for
> > >> login info:
> > >>
> > >> 1. Visit site Foo and attempt to log in using OpenID.
> > >> 2. Site Foo notices you input a LiveJournal URL, and sends you to a
> > >> spoofed LJ login page.
> > >> 3. You enter your LJ credentials and are redirected back to site Foo.
> > >> The spoof site now has your LJ credentials.
> > >>
> > >
> > > I think we're already pretty aware of the OP "phishing" attack. The
> > > best
> > > solution for now is browser extensions that allow the user to
> > > unambiguously check to see if the current site is their OP. I
> > > understand
> > > that there's currently an experimental Firefox extension out there for
> > > doing exactly that, though off the top of my head I can't remember the
> > > name of it.
> >
> > Sxipper? ;-) http://www.sxipper.com
> >
> > (there has been heavy discussion of this topic on the Identity Gang
> > list over the past few days)
> >
> > -- Dick
>
> I actually think he was thinking of PhOff. [1] I actually don't really
> care for it because it required me to keep it button in my toolbar,
> (a space that's already way too crowded as it is.) and the color
> scheme looked bad IMO. Also, IIRC, it had a problem where it wouldn't
> change the color back when I switched tabs.
>
> That said, it seems like a good first effort. It would be pretty easy
> to teach grandma that she is not to type her OP's password anywhere
> unless the whole top of her browser is green.
>
> --
> Daniel E. Renfer
> http://kronkltd.net/
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>


-- 
Chris Messina
Citizen Provocateur &
  Open Source Ambassador-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412 225-1051
Skype: factoryjoe
This email is:   [ ] bloggable    [X] ask first   [ ] private



More information about the general mailing list