[OpenID] Anti-phishing workarouund idea

[Gabe Wachob]

Good questions, for sure. That's why this is titled "workaround", not
"solution". 

To answer your questions, I don't know many normal users who keep their
browsers open for days or months. Though you are right, an OP may not want
to keep a cookie open even for the length of a workday. 

And you are right, a phisher could present a login page even if the user is
already logged in and the user would naively use it. That is a bit of a
problem, isn't it! An OP could address this, for example, by letting the
user know that they will *never* be prompted for a login unless they've
explicitly logged out (which may mean that if a OP expires a session, the
user would have to close the browser, re-open it, and have the plugin or the
user revisit the OP login page via bookmark or configured link to give
relatively high assurance they aren't being phished). 

Again, I'm not talking about a perfect solution. Just things that an OP
could do today with a combination of policy and user education. 

My point is merely that if the user is trained/forced/encouraged to be
signed in before an evil RP site has a chance to do a
phishing/pharming-style redirect, there is somewhat less exposure. 

	-Gabe

> -----Original Message-----
> From: john kemp [mailto:john.kemp at mac.com]
> Sent: Thursday, January 18, 2007 12:32 PM
> To: Gabe Wachob
> Cc: 'openid-general'
> Subject: Re: [OpenID] Anti-phishing workarouund idea
> 
> Gabe Wachob wrote:
> 
> > Many OP's set a (session) cookie after you log in so that when you
> > authenticate once in a browser session, you don't have to authenticate
> > again.
> 
> How many users know that the authentication happens only once a browser
> session vs. at the whim of their OP?
> 
> How many OPs are willing to set cookies that are valid for the length of
> an entire browser session (which may be days or even months), rather
> than a specific amount of time (an hour perhaps) determined by the P{s
> clock, and not that of the client?
> 
> - J