[OpenID] Fwd: OpenID Spoofing

Fri Jan 12 08:44:51 UTC 2007

On 1/12/07, Dick Hardt <dick at sxip.com> wrote:
>
> On 11-Jan-07, at 11:56 PM, Martin Atkins wrote:
>
> > ydnar wrote:
> >> You could visit a malicious site that spoofs your IDP, trolling for
> >> login info:
> >>
> >> 1. Visit site Foo and attempt to log in using OpenID.
> >> 2. Site Foo notices you input a LiveJournal URL, and sends you to a
> >> spoofed LJ login page.
> >> 3. You enter your LJ credentials and are redirected back to site Foo.
> >> The spoof site now has your LJ credentials.
> >>
> >
> > I think we're already pretty aware of the OP "phishing" attack. The
> > best
> > solution for now is browser extensions that allow the user to
> > unambiguously check to see if the current site is their OP. I
> > understand
> > that there's currently an experimental Firefox extension out there for
> > doing exactly that, though off the top of my head I can't remember the
> > name of it.
>
> Sxipper? ;-) http://www.sxipper.com
>
> (there has been heavy discussion of this topic on the Identity Gang
> list over the past few days)
>
> -- Dick

I actually think he was thinking of PhOff. [1] I actually don't really
care for it because it required me to keep it button in my toolbar,
(a space that's already way too crowded as it is.) and the color
scheme looked bad IMO. Also, IIRC, it had a problem where it wouldn't
change the color back when I switched tabs.

That said, it seems like a good first effort. It would be pretty easy
to teach grandma that she is not to type her OP's password anywhere
unless the whole top of her browser is green.

-- 
Daniel E. Renfer
http://kronkltd.net/