[OpenID] OpenID and phishing (was Announcing OpenID Authentication2.0 - Implementor's Draft 11)

Scott Kveton scott at janrain.com
Fri Jan 19 15:06:51 UTC 2007

>> Still totally unhappy about the phishing issues, which I blogged
>> about here:
>> http://www.links.org/?p=187
> I have a proposal which I think could greatly reduce the risk of
> phishing: identity providers should /never/ display their login form
> (or a link to the form) on a page that has been redirected to by an
> OpenID consumer.
> Instead, they should instruct the user to navigate to the login page
> themselves. The login page should have a short, memorable URL and
> users should be encouraged to bookmark it themselves when they sign
> up for the provider. The OpenID "landing page" then becomes an
> opportunity to help protect users against phishing rather than just
> being a vector for the attack.
> I've fleshed this out on my blog:
> http://simonwillison.net/2007/Jan/19/phishing/
> Does that sound workable?

One of the greatest strengths of OpenID is the ability for website operators
to lower the barrier to engagement ... User shows up, user enters OpenID,
user is then immediately participating in discussion/posts/comments/etc.
I'm afraid this proposal takes away from that by forcing the user to lose
the "flow" ... Of course its that "flow" that is the problem in terms of

What if the OP cataloged where you just came from and then presented the
screen that you mention?  The user is asked to navigate via a bookmark or
entering the URL in the location bar and then upon logging in is presented
with a link back to the site they just came from.  Then the user can quickly
engage and the site can still kick of the SREG mojo instead of having to go
_back_ to the site in question to re-initiate the login.

Would that work or am I missing something obvious?

- Scott

More information about the general mailing list