[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)
beltzner at mozilla.com
Fri Jan 19 17:11:54 UTC 2007
On 19-Jan-07, at 11:47 AM, john kemp wrote:
> With all due respect, I think you might be missing Ben's point.
I'm new here, so I don't know how much respect is due, yet, and I
miss points all the time, so it's quite right of you to point it out. ;)
> As I understood his post, he's saying that if an evil OP can
> as your OP, then they not only steal your login credentials, but can
> make assertions about the link between you (or your user-agent) and
> OpenID. Assertions to any RP who'll take an OpenID assertion.
> Secondly, I think he's saying that all you need to do to start this
> attack is to be, yourself, an evil RP, sending you off to the evil OP.
> In other words, phishing probably becomes easier (how hard is it to
> a reasonable-looking RP?) and more devastating (I've stolen the
> to make assertions about you to other RPs who "trust" your OP)
Right, and I'd call that a regression over what we have now.
> Solving this problem might not be a goal of the OpenID 2.0 Auth spec.
> but surely some attention should be given to mitigating the issue?
Again, agreed. All I was trying to do, after posting a slew of
research on how wide-spread the issue of phishing is across surfaces
of the browser, was argue that we shouldn't conflate the goals of
OpenID with the goal of "make it impossible for users to have their
passwords stolen, ever."
I think we're agreeing here, really.
> - John
> Dick Hardt wrote:
>> On 19-Jan-07, at 7:55 AM, Mike Beltzner wrote:
>>> At this juncture I feel that I should mention that I don't think
>>> "fixing phishing" should be a goal of OpenID. Improving things, and
>>> certainly not regressing is a must. But ensuring a perfect system
>>> might needlessly deadlock us.
>> general mailing list
>> general at openid.net
More information about the general