[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Marcin Jagodziński marcin.jagodzinski at gmail.com
Sat Jan 20 00:25:21 UTC 2007


Sorry, it's late here. I forgot that phisher RP can use just plain
redirect to phisher OP, not recognizable as "OpenID call". So my idea
is wrong.

M.

2007/1/20, Marcin Jagodziński <marcin.jagodzinski at gmail.com>:
> OpenID is more vulnerable to phishing than "normal web browsing". But
> I feel we can use it as an advantage!
>
> Plug-in/browser based approach: First we need to find out if the
> website claims to be an OP. It's easy (isn't it?) Browser can analyze
> requests and if requests matches OpenID specs, the "final" website
> after all redirects will be treated as OP ("good" or "bad"). Then it's
> just a matter of keeping a list of visited OPs (and maybe connecting
> to list of known "good" OPs and blacklist of phishing OPs).
>
> If it claims to be an OP and user has not visited it before, the HUGE
> alert before submiting any form should pop up: "This [URL] webpage
> claims to be your Identity Provider. But it seems you've never used it
> before. [Optional: if not on whitelist: What's even more suspicious:
> very few users used it before]. Please check its address very
> carefully and submit your password only if you're 101% sure that this
> is your Identity Provider"
>
> What do you think about it? We do not need a total antiphishing
> solution (so repeating that "OpenID is vulnerable in the same way
> every webpage is" won't help us). My method can't protect you from
> entering phishing OP directly, but it's outside our scenario.
>
>
> regards,
>
> Marcin
>
> 2007/1/20, Gavin Baumanis <gavin.baumanis at rmit.edu.au>:
> >
> >
> > Scott  - and everyone else on the list....
> >
> > My query is at your comment (Scott) of
> >
> > >>Ben: since its clearly not an issue for the spec, do you have any
> > >>suggestions on how to combat phishing for OpenID's?
> >
> > Firstly - I don't have an answer - I don't even have a vague suggestion...
> > I completely understand that it is not an OpenId issue. - it effects all www
> > traffic.
> >
> > Now for the possibility of completely embarrassing myself - due to lack of
> > knowledge;
> >
> > How can it be considered out of spec for OpenId, if the mechanics of OpenId
> > authentication seem to assist phishing?
> > I clearly see it being something that can hold up the official release of
> > OpenId 2.0 for a pretty lengthy time - and I realise nobody wants that to
> > happen.
> >
> > I take onboard the thoughts of others on the list of not getting bogged down
> > in attribute exchange etc, to the detriment of the 2.0 spec. that those
> > things should be treated separately and the spec should get the "final
> > release" that everyone wants.
> >
> > It just seems a little naive / slack, even, to take the attitude that since
> > phishing is such a big issue and since OpenId isn't the only technology
> > effected by it - then we shouldn't get involved in it. - Now, I realise that
> > no one is suggesting that either.... but I think not addressing it in the
> > spec - considering OpenID "almost" lends itself to a phishing attack is not
> > a wise decision either.
> >
> > I could be completely wrong - and would truly appreciate to be pointed in
> > the right direction - if I have it wrong.
> >
> > =gavin.baumanis
> >
> >
> > >>> On Saturday, January 20, 2007 at 04:30, in message
> > <C1D6404B.27172%scott at janrain.com>, Scott Kveton
> > <scott at janrain.com> wrote:
> >
> > >> Solving this problem might not be a goal of the OpenID 2.0 Auth spec.
> > >> but surely some attention should be given to mitigating the issue?
> > >
> > > Exactly. I wouldn't expect OpenID to _solve_ phishing all on its
> > > lonesome, but making it worse really does strike me as a serious
> > > problem - and one that should cause all security people to recommend
> > > avoiding it like the plague. We should be progressing on phishing, not
> > > regressing.
> >
> > I think the suggestions on this list are a great start and I'm sure we'll
> > see folks starting to implement them soon.
> >
> > Ben: since its clearly not an issue for the spec, do you have any
> > suggestions on how to combat phishing for OpenID's?
> >
> > > OTOH, I think this religious attitude that says browser plugins are to
> > > be avoided at all costs is wrong-heade! d. Browser authentication is
> > > broken. Someone has to apply pressure that'll fix that situation!
> >
> > Even browser extensions can be phished.  What about extensions that do bad
> > things to other extensions?  Trojan extensions?
> >
> > I think there has to be some smarts built into the browser that can't be
> > affected by installed extensions to really solve this problem.  I'm excited
> > to see Mozilla engaged in this discussion already (thanks Mike for the links
> > this morning).
> >
> > - Scott
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
> >
> >
>


More information about the general mailing list