[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

Ben Laurie benl at google.com
Fri Jan 19 17:16:20 UTC 2007


On 1/19/07, John Kemp <frumioj at mac.com> wrote:
> Hi,
>
> With all due respect, I think you might be missing Ben's point.
>
> As I understood his post, he's saying that if an evil OP can masquerade
> as your OP, then they not only steal your login credentials, but can
> make assertions about the link between you (or your user-agent) and your
> OpenID. Assertions to any RP who'll take an OpenID assertion.
>
> Secondly, I think he's saying that all you need to do to start this
> attack is to be, yourself, an evil RP, sending you off to the evil OP.
>
> In other words, phishing probably becomes easier (how hard is it to make
> a reasonable-looking RP?) and more devastating (I've stolen the ability
> to make assertions about you to other RPs who "trust" your OP)
>
> Solving this problem might not be a goal of the OpenID 2.0 Auth spec.
> but surely some attention should be given to mitigating the issue?

Exactly. I wouldn't expect OpenID to _solve_ phishing all on its
lonesome, but making it worse really does strike me as a serious
problem - and one that should cause all security people to recommend
avoiding it like the plague. We should be progressing on phishing, not
regressing.

OTOH, I think this religious attitude that says browser plugins are to
be avoided at all costs is wrong-headed. Browser authentication is
broken. Someone has to apply pressure that'll fix that situation!

>
> Regards,
>
> - John
>
> Dick Hardt wrote:
> > +1
> >
> > On 19-Jan-07, at 7:55 AM, Mike Beltzner wrote:
> >
> >> At this juncture I feel that I should mention that I don't think
> >> "fixing phishing" should be a goal of OpenID. Improving things, and
> >> certainly not regressing is a must. But ensuring a perfect system
> >> might needlessly deadlock us.
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



More information about the general mailing list