[OpenID] [marketing] Fwd: OpenID Spoofing

Claus Färber gmane at faerber.muc.de
Tue Jan 16 12:33:42 UTC 2007

Dmitry Shechtman schrieb:
>> For local logins, you have to follow a special link that brings you to
>> the faked login page.
> MySpace has a Member Login box on its front page.

Yes, so what? How does that relate to what I've written?

If you don't follow a link but type in the URI manually or use a 
bookmark, you're quite save from phishes.

>> In OpenID, this redirection is built into the protocol. Even worse,
>> OpenID is advertised as a system to use on as many sites as possible,
>> not as a system to login to few sites the user trusts.
> That's what I call hostile marketing. OpenID is a system to *use*
> everywhere, not to *login* everywhere. Contrary to the described
> misconception, it reduces the "few sites the user trusts" to only one.

That's what I call sticking your head into the sand. I think you don't 
fully understand and greatly underestimate the threat of phishing.

It's irrelevant if you call it "use" instead of "login". The problem 
does not go away: Every(!) site to which you identify with your OpenID 
can present you with a phish instead of your real OpenID provider.

Do you really think most users will be able to tell the difference 

The usual defence against phising - using your bookmarks when you want 
to login - does not work because not using your bookmarks to get to the 
OpenID provider is part of the protocol. Well, you can avoid it by 
always logging in via OpenID first and then visiting any sites but users 
in general won't do that. They won't notice if they have to login a 
second time during their browsing session, either.

It's even worse with cross-site scripting. Given the code quality of 
existing OpenID code (some libraries can't even parse the simplest of 
HTML), a lot of these problems will spring up.


More information about the general mailing list