[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

[Ben Laurie]

On 1/19/07, Scott Kveton <scott at janrain.com> wrote:
> >> Solving this problem might not be a goal of the OpenID 2.0 Auth spec.
> >> but surely some attention should be given to mitigating the issue?
> >
> > Exactly. I wouldn't expect OpenID to _solve_ phishing all on its
> > lonesome, but making it worse really does strike me as a serious
> > problem - and one that should cause all security people to recommend
> > avoiding it like the plague. We should be progressing on phishing, not
> > regressing.
>
> I think the suggestions on this list are a great start and I'm sure we'll
> see folks starting to implement them soon.
>
> Ben: since its clearly not an issue for the spec,

I do not agree that its not an issue for the spec. As it stands, the
spec completely washes its hands of this issue, and I don't think
that's acceptable.

> do you have any
> suggestions on how to combat phishing for OpenID's?

a) Push browser authors to add unphishable auth!

b) Drop the religion on plugins in the meantime

I intend to write some more on mitigation soon.

> > OTOH, I think this religious attitude that says browser plugins are to
> > be avoided at all costs is wrong-headed. Browser authentication is
> > broken. Someone has to apply pressure that'll fix that situation!
>
> Even browser extensions can be phished.  What about extensions that do bad
> things to other extensions?  Trojan extensions?
>
> I think there has to be some smarts built into the browser that can't be
> affected by installed extensions to really solve this problem.  I'm excited
> to see Mozilla engaged in this discussion already (thanks Mike for the links
> this morning).

Yes, in an ideal world this kind of stuff will be built into browsers
s.t. plugins cannot masquerade as it.

>
> - Scott
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>