[OpenID] Another Client-side Password Phishing Mitigation Idea

Dmitry Shechtman damnian at gmail.com
Sun Jan 21 22:39:44 UTC 2007


You're blinded by that "phishing is imminent, we must change something in
the protocol" panic. I didn't see a viable solution in that department, so I
think we should concentrate our efforts on the client side.

> This kind of detection can be is very easily avoided in my opinion.

Please read my comment carefully. The "fuzzy logic" part is only pertinent
to combo fields. I don't know about the common user, but combo fields are a
sacrifice I am willing to make.

> Identity Manager is one option. We let users to choose their OP, so we
> should let them choose their security plugin/browser.

Just to make things clear, I'm not implementing an identity manager plugin.
I still believe it should be a core browser component, as it is the only
solution to combine advanced security, *improved* usability (contrary to
other suggestions we've seen) and CardSpace integration.

I'd really love to hear what the FireFox/IE folks have to say about this.


Regards,
Dmitry
=damnian




More information about the general mailing list