[OpenID] [marketing] Fwd: OpenID Spoofing

Claus Färber GMANE at faerber.muc.de
Sun Jan 14 12:40:17 UTC 2007


Chris Messina wrote:
> This is also not unique to OpenID. It's a problem with any remote
> login system -- even local logins (see MySpace).

For local logins, you have to follow a special link that brings you to 
the faked login page.

In OpenID, this redirection is built into the protocol. Even worse, 
OpenID is advertised as a system to use on as many sites as possible, 
not as a system to login to few sites the user trusts.

With cross-site scripting, IDN homographs, etc. there are methods that 
may make detecting a phishing attacks nearly impossible.

Claus




More information about the general mailing list