[OpenID] [security] Another Client-side Password Phishing Mitigation Idea
marcin.jagodzinski at gmail.com
Sun Jan 21 18:35:57 UTC 2007
Maybe I don't understand this correctly, but... well the author of
this noticed this too:
/ flash to bypass the check"
That's right. In my opinion you have to both: change the UI on every
page that claims to be an OP (or includes "password" field, although I
think it's too broad) AND warn user if OP is suspicious. This is the
missing part of this idea. If "phisher" wants to trick the plugin by
not using the "password" field, we should just let him do this. And
make the user to see the difference.
2007/1/21, Tan, William <William.Tan at neustar.biz>:
> This is a combination of techniques that may mitigate password phishing:
> combine a whitelist + warning pop-up with prominent display of target
> domain and a time-delayed button.
> Comments are most welcome.
> security mailing list
> security at openid.net
More information about the general