[OpenID] [marketing] Fwd: OpenID Spoofing
gmane at faerber.muc.de
Tue Jan 16 12:33:42 UTC 2007
Dmitry Shechtman schrieb:
>> For local logins, you have to follow a special link that brings you to
>> the faked login page.
> MySpace has a Member Login box on its front page.
Yes, so what? How does that relate to what I've written?
If you don't follow a link but type in the URI manually or use a
bookmark, you're quite save from phishes.
>> In OpenID, this redirection is built into the protocol. Even worse,
>> OpenID is advertised as a system to use on as many sites as possible,
>> not as a system to login to few sites the user trusts.
> That's what I call hostile marketing. OpenID is a system to *use*
> everywhere, not to *login* everywhere. Contrary to the described
> misconception, it reduces the "few sites the user trusts" to only one.
That's what I call sticking your head into the sand. I think you don't
fully understand and greatly underestimate the threat of phishing.
It's irrelevant if you call it "use" instead of "login". The problem
does not go away: Every(!) site to which you identify with your OpenID
can present you with a phish instead of your real OpenID provider.
Do you really think most users will be able to tell the difference
The usual defence against phising - using your bookmarks when you want
to login - does not work because not using your bookmarks to get to the
OpenID provider is part of the protocol. Well, you can avoid it by
always logging in via OpenID first and then visiting any sites but users
in general won't do that. They won't notice if they have to login a
second time during their browsing session, either.
It's even worse with cross-site scripting. Given the code quality of
existing OpenID code (some libraries can't even parse the simplest of
HTML), a lot of these problems will spring up.
More information about the general