[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

James A. Donald jamesd at echeque.com
Fri Jan 19 19:11:39 UTC 2007


Marcin Jagodzin'ski wrote:
 > I don't think it will work, sorry. While this prevents
 > phishing, this also prevents OpenID from mass
 > adoption. People are lazy, they don't want do type
 > anything. That of course my humble opinion.
 >
 > Another idea: what about permanent cookie set by OP?
 > Phished OP cannot access it. The cookie can contain
 > some info provided by user (eg. title of his favourite
 > song, his favorite quote). If cookie can be read, the
 > content of it is displayed ("Hello johndoe, your
 > favorite song is Yellow Submarine, please login
 > below"), if not "Hello johndoe, we cannot recognize
 > you, please check location bar and SSL certificate...
 > etc")

Better than nothing, but user is never going to check
location bar, and the SSL certificate contains what is
to the user meaningless gibberish - I am fond of
pointing out that the e-gold cite for a very long time
had a certificate that if anyone ever looked at it would
indicate a phishing attempt.

Ultimately fixing phishing requires client side login
software, such as the proposed, but not in fact
implemented, passpet,
http://usablesecurity.com/2006/07/13/ka-ping-yee-and-kragen-sitaker-passpet/

The ideal solution would be something that provided a
passpet style interface, and also provided the option of
SRP login, (which mutually authenticates, both sides
proving they know the password with neither side
revealing it) and if the website detected that option,
would make SRP login mandatory for that user, so that
the user could never login except using his personalized
copy of passpet.



More information about the general mailing list