[OpenID] Fwd: OpenID Spoofing

David Nicol davidnicol at gmail.com
Fri Jan 12 20:19:22 UTC 2007

On 1/12/07, Martin Atkins <mart at degeneration.co.uk> wrote:
> I think we're already pretty aware of the OP "phishing" attack. The best
> solution for now is browser extensions that allow the user to
> unambiguously check to see if the current site is their OP. I understand
> that there's currently an experimental Firefox extension out there for
> doing exactly that, though off the top of my head I can't remember the
> name of it.
> Obviously better solutions would be nice moving forward, but I don't
> think we're in that bad a place right now.

The thing that the financial services web sites (bank of america, vanguard, etc)
currently do is show you an image that you selected as a shared secret so
you know you are looking at their log-in page.  Although taking your username
and attempting a login with the target site and scraping the result for the
picture is certainly possible although it could be made tricky to automate, so
that technique merely raises the implementation bar for password traps.

Browser features that provide more usable certificate management might help.

More information about the general mailing list