[OpenID] Fwd: OpenID Spoofing
Thomas Maloney
thomas.l.maloney at gmail.com
Fri Jan 12 21:37:45 UTC 2007
Hopefully the new EV SSL certificates can help identify spoofing of
IDPs. There are issues with EV SSL, like adoption and consumer
recognition.
-Tom
On Jan 12, 2007, at 2:56 AM, Martin Atkins wrote:
> ydnar wrote:
>> You could visit a malicious site that spoofs your IDP, trolling for
>> login info:
>>
>> 1. Visit site Foo and attempt to log in using OpenID.
>> 2. Site Foo notices you input a LiveJournal URL, and sends you to a
>> spoofed LJ login page.
>> 3. You enter your LJ credentials and are redirected back to site Foo.
>> The spoof site now has your LJ credentials.
>>
>
> I think we're already pretty aware of the OP "phishing" attack. The
> best
> solution for now is browser extensions that allow the user to
> unambiguously check to see if the current site is their OP. I
> understand
> that there's currently an experimental Firefox extension out there for
> doing exactly that, though off the top of my head I can't remember the
> name of it.
>
> Obviously better solutions would be nice moving forward, but I don't
> think we're in that bad a place right now.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list