[OpenID] [security] Another Client-side Password Phishing Mitigation Idea
christopher at pobox.com
Mon Jan 22 04:23:37 UTC 2007
Read my proposals from about 3 months back. I explained how plugins
will need to recognize OpenID login pages. I proposed the technical
solution. It's the same concept as "IdP initiated logins" (since
something else besides the RP web page initiates the login - eg - the
Be warned - my proposal got flamed and ignored.
A few times subsequent to my proposal, I requested someone correlate
all the proposals - again - this hasn't happened, so now we find
ourselves back in a loop discussing the same things again.
IMHO - OpenID needs to have hooks to let anti-phishing technology
evolve, otherwise both will die off (succumbing to InfoCard)
Monday, January 22, 2007, 5:35:57 AM, you wrote:
MJ> Maybe I don't understand this correctly, but... well the author of
MJ> this noticed this too:
MJ> / flash to bypass the check"
MJ> That's right. In my opinion you have to both: change the UI on every
MJ> page that claims to be an OP (or includes "password" field, although I
MJ> think it's too broad) AND warn user if OP is suspicious. This is the
MJ> missing part of this idea. If "phisher" wants to trick the plugin by
MJ> not using the "password" field, we should just let him do this. And
MJ> make the user to see the difference.
MJ> 2007/1/21, Tan, William <William.Tan at neustar.biz>:
>> This is a combination of techniques that may mitigate password phishing:
>> combine a whitelist + warning pop-up with prominent display of target
>> domain and a time-delayed button.
>> Comments are most welcome.
>> security mailing list
>> security at openid.net
MJ> general mailing list
MJ> general at openid.net
More information about the general