[OpenID] [marketing] Fwd: OpenID Spoofing

Chris Messina chris.messina at gmail.com
Fri Jan 12 08:05:56 UTC 2007

This is also not unique to OpenID. It's a problem with any remote
login system -- even local logins (see MySpace).

Seems to me it's documenting best practices, educating folks, and
getting friends to look out for one another. Surprise surprise,
technology can't solve all problems.



On 1/11/07, Martin Atkins <mart at degeneration.co.uk> wrote:
> ydnar wrote:
> > You could visit a malicious site that spoofs your IDP, trolling for
> > login info:
> >
> > 1. Visit site Foo and attempt to log in using OpenID.
> > 2. Site Foo notices you input a LiveJournal URL, and sends you to a
> > spoofed LJ login page.
> > 3. You enter your LJ credentials and are redirected back to site Foo.
> > The spoof site now has your LJ credentials.
> >
> I think we're already pretty aware of the OP "phishing" attack. The best
> solution for now is browser extensions that allow the user to
> unambiguously check to see if the current site is their OP. I understand
> that there's currently an experimental Firefox extension out there for
> doing exactly that, though off the top of my head I can't remember the
> name of it.
> Obviously better solutions would be nice moving forward, but I don't
> think we're in that bad a place right now.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

Chris Messina
Citizen Provocateur &
  Open Source Ambassador-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412 225-1051
Skype: factoryjoe
This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the general mailing list