[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

John Kemp frumioj at mac.com
Fri Jan 19 17:06:53 UTC 2007


With all due respect, I think you might be missing Ben's point.

As I understood his post, he's saying that if an evil OP can masquerade
as your OP, then they not only steal your login credentials, but can
make assertions about the link between you (or your user-agent) and your
OpenID. Assertions to any RP who'll take an OpenID assertion.

Secondly, I think he's saying that all you need to do to start this
attack is to be, yourself, an evil RP, sending you off to the evil OP.

In other words, phishing probably becomes easier (how hard is it to make
a reasonable-looking RP?) and more devastating (I've stolen the ability
to make assertions about you to other RPs who "trust" your OP)

Solving this problem might not be a goal of the OpenID 2.0 Auth spec.
but surely some attention should be given to mitigating the issue?


- John

Dick Hardt wrote:
> +1
> On 19-Jan-07, at 7:55 AM, Mike Beltzner wrote:
>> At this juncture I feel that I should mention that I don't think
>> "fixing phishing" should be a goal of OpenID. Improving things, and
>> certainly not regressing is a must. But ensuring a perfect system
>> might needlessly deadlock us.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list