[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Scott Kveton scott at janrain.com
Fri Jan 19 15:18:15 UTC 2007

> I don't think it will work, sorry. While this prevents phishing, this
> also prevents OpenID from mass adoption. People are lazy, they don't
> want do type anything. That of course my humble opinion.
> Another idea: what about permanent cookie set by OP? Phished OP cannot
> access it. The cookie can contain some info provided by user (eg.
> title of his favourite song, his favorite quote). If cookie can be
> read, the content of it is displayed ("Hello johndoe, your favorite
> song is Yellow Submarine, please login below"), if not "Hello johndoe,
> we cannot recognize you, please check location bar and SSL
> certificate... etc")
> What do you think about it?

This is much like what the Yahoo site seal does today.  The seal is user
chosen and not tied to the login ... There is more magic to it though as I
understand there is some flash in there too?  You could do this with a
question like you mention, an image, etc.

I think the reality is that we'll need a combination of these options for
the users, most likely with the default set to "paranoid" and then they
would have the option of disabling if they so choose.

It doesn't seem like any of these are in the scope of the OpenID spec (not
that they have to, but its interesting that they aren't).

- Scott

> 2007/1/19, Simon Willison <simon at simonwillison.net>:
>> On 19 Jan 2007, at 14:19, Ben Laurie wrote:
>>> Still totally unhappy about the phishing issues, which I blogged
>>> about here:
>>> http://www.links.org/?p=187
>> I have a proposal which I think could greatly reduce the risk of
>> phishing: identity providers should /never/ display their login form
>> (or a link to the form) on a page that has been redirected to by an
>> OpenID consumer.
>> Instead, they should instruct the user to navigate to the login page
>> themselves. The login page should have a short, memorable URL and
>> users should be encouraged to bookmark it themselves when they sign
>> up for the provider. The OpenID "landing page" then becomes an
>> opportunity to help protect users against phishing rather than just
>> being a vector for the attack.
>> I've fleshed this out on my blog:
>> http://simonwillison.net/2007/Jan/19/phishing/
>> Does that sound workable?
>> Cheers,
>> Simon
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list