[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

[Marcin Jagodziński]

I don't think it will work, sorry. While this prevents phishing, this
also prevents OpenID from mass adoption. People are lazy, they don't
want do type anything. That of course my humble opinion.

Another idea: what about permanent cookie set by OP? Phished OP cannot
access it. The cookie can contain some info provided by user (eg.
title of his favourite song, his favorite quote). If cookie can be
read, the content of it is displayed ("Hello johndoe, your favorite
song is Yellow Submarine, please login below"), if not "Hello johndoe,
we cannot recognize you, please check location bar and SSL
certificate... etc")

What do you think about it?

regards,

Marcin

2007/1/19, Simon Willison <simon at simonwillison.net>:
>
> On 19 Jan 2007, at 14:19, Ben Laurie wrote:
>
> > Still totally unhappy about the phishing issues, which I blogged
> > about here:
> >
> > http://www.links.org/?p=187
>
> I have a proposal which I think could greatly reduce the risk of
> phishing: identity providers should /never/ display their login form
> (or a link to the form) on a page that has been redirected to by an
> OpenID consumer.
>
> Instead, they should instruct the user to navigate to the login page
> themselves. The login page should have a short, memorable URL and
> users should be encouraged to bookmark it themselves when they sign
> up for the provider. The OpenID "landing page" then becomes an
> opportunity to help protect users against phishing rather than just
> being a vector for the attack.
>
> I've fleshed this out on my blog:
>
> http://simonwillison.net/2007/Jan/19/phishing/
>
> Does that sound workable?
>
> Cheers,
>
> Simon
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>