[OpenID] [marketing] Fwd: OpenID Spoofing

Dmitry Shechtman damnian at gmail.com
Tue Jan 16 13:10:43 UTC 2007

> If you don't follow a link but type in the URI manually or use a
> bookmark, you're quite save from phishes.

Wrong. Google for DNS spoofing.

> That's what I call sticking your head into the sand. I think you don't
> fully understand and greatly underestimate the threat of phishing.

If I did, I wouldn't be trying so hard to find a solution.

> It's irrelevant if you call it "use" instead of "login". The problem
> does not go away: Every(!) site to which you identify with your OpenID
> can present you with a phish instead of your real OpenID provider.

Why would a user want to log into such sites? Although the protocol has to
be foolproof, you are presenting an overly-fool scenario.

> The usual defence against phising - using your bookmarks when you want
> to login - does not work because not using your bookmarks to get to the
> OpenID provider is part of the protocol. Well, you can avoid it by
> always logging in via OpenID first and then visiting any sites but users
> in general won't do that. They won't notice if they have to login a
> second time during their browsing session, either.

Now who's sticking his head in the sand? Using bookmarks isn't a defense.

As for logging in prior to RP request, that would require the user to set
her browser's start page to be OP login. Maybe this isn't such a bad idea.

> It's even worse with cross-site scripting. Given the code quality of
> existing OpenID code (some libraries can't even parse the simplest of
> HTML), a lot of these problems will spring up.

Although I could agree with you on the code quality, it has nothing to do
with the security of the protocol. If you see a bug in a free library, go
ahead and fix it (BTW you don't need to parse HTML in order to prevent XSS).


More information about the general mailing list