[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

Simon Willison simon at simonwillison.net
Fri Jan 19 14:45:08 UTC 2007

On 19 Jan 2007, at 14:19, Ben Laurie wrote:

> Still totally unhappy about the phishing issues, which I blogged  
> about here:
> http://www.links.org/?p=187

I have a proposal which I think could greatly reduce the risk of  
phishing: identity providers should /never/ display their login form  
(or a link to the form) on a page that has been redirected to by an  
OpenID consumer.

Instead, they should instruct the user to navigate to the login page  
themselves. The login page should have a short, memorable URL and  
users should be encouraged to bookmark it themselves when they sign  
up for the provider. The OpenID "landing page" then becomes an  
opportunity to help protect users against phishing rather than just  
being a vector for the attack.

I've fleshed this out on my blog:


Does that sound workable?



More information about the general mailing list