[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)
James A. Donald
jamesd at echeque.com
Sat Jan 20 03:17:48 UTC 2007
Marcin Jagodzin'ski wrote:
> OpenID is more vulnerable to phishing than "normal web
> browsing". But I feel we can use it as an advantage!
> Plug-in/browser based approach: First we need to find
> out if the website claims to be an OP. It's easy
> (isn't it?) Browser can analyze requests and if
> requests matches OpenID specs, the "final" website
> after all redirects will be treated as OP ("good" or
> "bad"). Then it's just a matter of keeping a list of
> visited OPs (and maybe connecting to list of known
> "good" OPs and blacklist of phishing OPs).
The plugin should notice if we are logging in to a site
where do not have an existing login.
If the plugin encounters a site where we have an
existing login, it auto logins in, or brings up its own
UI giving the user one click login.
If the plugin encounters a site where we do not have an
existing login, but which asks us to login, gets antsy,
because this something is wrong, possibly phishing.
If the plugin encounters a site asking us to register,
gives us a whole different UI
More information about the general