[OpenID] Fwd: OpenID Spoofing

Scott Kveton scott at janrain.com
Fri Jan 12 16:34:32 UTC 2007


Hi Bob,

> In your blog post about Phishing and OpenId
> <http://kveton.com/blog/2006/12/04/phishing-and-openid/>  you itemize some
> mechanisms for addressing the phishing problem. These mechanisms should, of
> course, be considered along with External Authentication.

I really like the idea of external authentication.  I'm not sure users will
have the patience to wait for an email or IM (or for that matter want to do
the context switch) but having it as an option would be fantastic for the
users that really care about it.  Even better, requiring external
authentication for specific sites (i.e. My bank sites, shopping, etc) would
be perfect IMHO.

> In your post, you
> include "Browser extension/plugin" and say that it your "least favorite"
> option. I would appreciate it very much if you could explain a bit more about
> why this is "least favorite"?

I don't like having to put the burden on the users to install client-side
software.  Also, there is the possibility (although remote) that a user
could be phished to install a extension that does "bad things" as well.  And
what is there to stop other extensions you install for one thing from doing
"bad things" with your identity?

I'm really hoping that the Firefox 3.0 release will integrate OpenID in such
a way to alleviate a lot of these risks:

http://radar.oreilly.com/archives/2007/01/firefox_30_requ.html

I really hope they make it so you can set your OpenID provider as a
preference and then not have that be mucked with by other extensions.  This
would go a long way towards helping address a lot of the phishing problems
we've been talking about on this list.

Of course we have to wait until Q3 or Q4 for the release of FF 3.0 ... :-)

- Scott




More information about the general mailing list