[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)
benl at google.com
Fri Jan 19 17:40:02 UTC 2007
On 1/19/07, Scott Kveton <scott at janrain.com> wrote:
> >> Solving this problem might not be a goal of the OpenID 2.0 Auth spec.
> >> but surely some attention should be given to mitigating the issue?
> > Exactly. I wouldn't expect OpenID to _solve_ phishing all on its
> > lonesome, but making it worse really does strike me as a serious
> > problem - and one that should cause all security people to recommend
> > avoiding it like the plague. We should be progressing on phishing, not
> > regressing.
> I think the suggestions on this list are a great start and I'm sure we'll
> see folks starting to implement them soon.
> Ben: since its clearly not an issue for the spec,
I do not agree that its not an issue for the spec. As it stands, the
spec completely washes its hands of this issue, and I don't think
> do you have any
> suggestions on how to combat phishing for OpenID's?
a) Push browser authors to add unphishable auth!
b) Drop the religion on plugins in the meantime
I intend to write some more on mitigation soon.
> > OTOH, I think this religious attitude that says browser plugins are to
> > be avoided at all costs is wrong-headed. Browser authentication is
> > broken. Someone has to apply pressure that'll fix that situation!
> Even browser extensions can be phished. What about extensions that do bad
> things to other extensions? Trojan extensions?
> I think there has to be some smarts built into the browser that can't be
> affected by installed extensions to really solve this problem. I'm excited
> to see Mozilla engaged in this discussion already (thanks Mike for the links
> this morning).
Yes, in an ideal world this kind of stuff will be built into browsers
s.t. plugins cannot masquerade as it.
> - Scott
> general mailing list
> general at openid.net
More information about the general