[OpenID] Another Client-side Password Phishing Mitigation Idea

Marcin Jagodziński marcin.jagodzinski at gmail.com
Sun Jan 21 19:22:03 UTC 2007


Dmitry,

I think we are moving too fast. The problem "which functionalities
should be included in plugin" / "how plugin should look like" is not
the problem we are facing now. The real problem is:

1) what if phisher prepare page so that plugin will not start
2) what if legitimate OP prepare the page so the that plugin will not start

regards

2007/1/21, Dmitry Shechtman <damnian at gmail.com>:
> There are a few DISadvantages to this proposal:
>
>     * it works on all password forms, not just for OpenID
>     * it forcefully disrupts the flow of the user
>
>
> FUNCTION warning-dialog.onshow()
>
>         IF warning-dialog.contains-dont-show-again-checkbox()
>                 dont-show-again-checkbox.select()
>                 ok-button.click
>                 RETURN ok
>         END IF
>
>         IF anti-phishing-mitigation.is-addon()
>                 anti-phishing-mitigation.uninstall()
>                 RETURN ok
>         END IF
>
>         browser.uninstall()
>         RETURN not-ok
>
> END FUNCTION
>
>
> What's wrong with an identity manager?
>
>
> Regards,
> Dmitry
> =damnian
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



More information about the general mailing list