[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Mike Beltzner beltzner at mozilla.com
Fri Jan 19 22:28:50 UTC 2007


On 19-Jan-07, at 1:43 PM, Gabe Wachob wrote:

> Regarding anti-phishing & IE - isn't that one of the main design  
> goals of
> Cardspace?

Well, yes and no. As I understand it (and the last time I looked at  
it deeply it was called InfoCard, so Things May Have Changed -- I'll  
count on someone telling me if I'm wrong) the way Cardspace works is  
that when a website asks for information, the user reaches into their  
"wallet" to select the "card" that they wish to present.

If the website requesting that information is malicious, Cardspace in  
and of itself does nothing to prevent you from passing the  
information along.

cheers,
mike

> Scenario: Login to your OP with Cardspace and not worry about  
> phishing?
>
> My only point here is that I think the IE people probably think  
> they *have*
> a solution, which may or may not be appealing to people here.
>
> 	-Gabe
>
>> -----Original Message-----
>> From: general-bounces at openid.net [mailto:general- 
>> bounces at openid.net] On
>> Behalf Of Scott Kveton
>> Sent: Friday, January 19, 2007 10:02 AM
>> To: Ben Laurie
>> Cc: openid-general
>> Subject: Re: [OpenID] OpenID and phishing (was Announcing
>> OpenIDAuthentication 2.0 - Implementor's Draft 11)
>>
>>>> do you have any
>>>> suggestions on how to combat phishing for OpenID's?
>>>
>>> a) Push browser authors to add unphishable auth!
>>
>> This is starting to happen (with Mozilla anyways).  Anybody know  
>> the IE
>> developers?
>>
>>> I intend to write some more on mitigation soon.
>>
>> Great ... Please link to the post here ... Would love to hear your
>> thoughts
>> on this.
>>
>> - Scott
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general




More information about the general mailing list