[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Scott Kveton scott at janrain.com
Fri Jan 19 17:30:51 UTC 2007

>> Solving this problem might not be a goal of the OpenID 2.0 Auth spec.
>> but surely some attention should be given to mitigating the issue?
> Exactly. I wouldn't expect OpenID to _solve_ phishing all on its
> lonesome, but making it worse really does strike me as a serious
> problem - and one that should cause all security people to recommend
> avoiding it like the plague. We should be progressing on phishing, not
> regressing.

I think the suggestions on this list are a great start and I'm sure we'll
see folks starting to implement them soon.

Ben: since its clearly not an issue for the spec, do you have any
suggestions on how to combat phishing for OpenID's?
> OTOH, I think this religious attitude that says browser plugins are to
> be avoided at all costs is wrong-headed. Browser authentication is
> broken. Someone has to apply pressure that'll fix that situation!

Even browser extensions can be phished.  What about extensions that do bad
things to other extensions?  Trojan extensions?

I think there has to be some smarts built into the browser that can't be
affected by installed extensions to really solve this problem.  I'm excited
to see Mozilla engaged in this discussion already (thanks Mike for the links
this morning).

- Scott

More information about the general mailing list