[OpenID] OpenID and phishing

Ka-Ping Yee openid at zesty.ca
Sat Jan 20 22:48:47 UTC 2007


On Sat, 20 Jan 2007, Mike Beltzner wrote:
> Again, we're agreeing, and I think you'll find that assuming that
> things are black & white (ie: that either people care about
> phishing, or that they don't) will make this conversation ultimately
> less fruitful.

If what I said implied that assumption, then I regret it.  Taking into
account users' non-binary perceptions of effort and risk is definitely
the right way to look at this problem.

> So let's work together so that deploying OpenID *doesn't* neccessarily
> mean significantly increasing the risk of phishing (eg: "no
> regressions") but not be so specific that the OpenID specification
> ends up limiting future implementations that might, as Chris says, be
> smarter than us and have better ways for preventing phishing.

I agree.

> > The spec should openly acknowledge that the current practice, which
> > is also the most illustrated practice, is not safe, and outline why.
>
> Yup.

Good!

> > On the other hand, it is probably a good idea to legislate or strongly
> > recommend *against* the specific practice we know to be dangerous --
> > redirecting from a validation request straight to a username/password
> > login form -- and this practice should not be used in examples.
> >
> > Can we agree on that?
>
> Yup.

Hooray.  We all win!


-- ?!ng



More information about the general mailing list