[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

Mike Beltzner beltzner at mozilla.com
Fri Jan 19 15:25:54 UTC 2007

On 19-Jan-07, at 10:19 AM, George Fletcher wrote:

> My concern with this is that it requires users to allow persistent  
> cookies.  This seems inherently insecure, what with hacks to read  
> stored cookies, etc.  I pretty much only allow cookies for a  
> session (and hence pretty much just use firefox or camino nightly  
> builds that support this functionality).  For the majority of  
> users, knowing when it is ok to allow persistent cookies and when  
> not to is going to be way to complicated to deal with.
> Maybe the OpenID/Mozilla integration could address this by allowing  
> persistent cookies for the OpenID Providers registered with the  
> browser.

Why cookies? They're so 1990. ;) Let's take advantage of the client- 
side persistent object storage APIs introduced in Gecko 1.8.1/Firefox  
2 that are specified by the WHATWG Web Applications 1.0 standard[1],  
which domain-scopes and everything.


[1]: http://www.whatwg.org/specs/web-apps/current-work/#storage

> Thanks,
> George
> Marcin Jagodziński wrote:
>> I don't think it will work, sorry. While this prevents phishing,  
>> this also prevents OpenID from mass adoption. People are lazy,  
>> they don't want do type anything. That of course my humble  
>> opinion. Another idea: what about permanent cookie set by OP?  
>> Phished OP cannot access it. The cookie can contain some info  
>> provided by user (eg. title of his favourite song, his favorite  
>> quote). If cookie can be read, the content of it is displayed  
>> ("Hello johndoe, your favorite song is Yellow Submarine, please  
>> login below"), if not "Hello johndoe, we cannot recognize you,  
>> please check location bar and SSL certificate... etc") What do you  
>> think about it? regards, Marcin 2007/1/19, Simon Willison  
>> <simon at simonwillison.net>:
>>> On 19 Jan 2007, at 14:19, Ben Laurie wrote:
>>>> Still totally unhappy about the phishing issues, which I blogged  
>>>> about here: http://www.links.org/?p=187
>>> I have a proposal which I think could greatly reduce the risk of  
>>> phishing: identity providers should /never/ display their login  
>>> form (or a link to the form) on a page that has been redirected  
>>> to by an OpenID consumer. Instead, they should instruct the user  
>>> to navigate to the login page themselves. The login page should  
>>> have a short, memorable URL and users should be encouraged to  
>>> bookmark it themselves when they sign up for the provider. The  
>>> OpenID "landing page" then becomes an opportunity to help protect  
>>> users against phishing rather than just being a vector for the  
>>> attack. I've fleshed this out on my blog: http:// 
>>> simonwillison.net/2007/Jan/19/phishing/ Does that sound workable?  
>>> Cheers, Simon _______________________________________________  
>>> general mailing list general at openid.net http://openid.net/mailman/ 
>>> listinfo/general
>> _______________________________________________ general mailing  
>> list general at openid.net http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list