[OpenID] [marketing] Fwd: OpenID Spoofing
chris.messina at gmail.com
Fri Jan 12 09:03:03 UTC 2007
Fyi, I'm angling for an OpenID Mash Pit at Mozilla. Details pending
but generally, talk less, build more.
On 1/12/07, Daniel E. Renfer <Duck at kronkltd.net> wrote:
> On 1/12/07, Dick Hardt <dick at sxip.com> wrote:
> > On 11-Jan-07, at 11:56 PM, Martin Atkins wrote:
> > > ydnar wrote:
> > >> You could visit a malicious site that spoofs your IDP, trolling for
> > >> login info:
> > >>
> > >> 1. Visit site Foo and attempt to log in using OpenID.
> > >> 2. Site Foo notices you input a LiveJournal URL, and sends you to a
> > >> spoofed LJ login page.
> > >> 3. You enter your LJ credentials and are redirected back to site Foo.
> > >> The spoof site now has your LJ credentials.
> > >>
> > >
> > > I think we're already pretty aware of the OP "phishing" attack. The
> > > best
> > > solution for now is browser extensions that allow the user to
> > > unambiguously check to see if the current site is their OP. I
> > > understand
> > > that there's currently an experimental Firefox extension out there for
> > > doing exactly that, though off the top of my head I can't remember the
> > > name of it.
> > Sxipper? ;-) http://www.sxipper.com
> > (there has been heavy discussion of this topic on the Identity Gang
> > list over the past few days)
> > -- Dick
> I actually think he was thinking of PhOff.  I actually don't really
> care for it because it required me to keep it button in my toolbar,
> (a space that's already way too crowded as it is.) and the color
> scheme looked bad IMO. Also, IIRC, it had a problem where it wouldn't
> change the color back when I switched tabs.
> That said, it seems like a good first effort. It would be pretty easy
> to teach grandma that she is not to type her OP's password anywhere
> unless the whole top of her browser is green.
> Daniel E. Renfer
> general mailing list
> general at openid.net
Citizen Provocateur &
Open Source Ambassador-at-Large
Cell: 412 225-1051
This email is: [ ] bloggable [X] ask first [ ] private
More information about the general