[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Mike Beltzner beltzner at mozilla.com
Fri Jan 19 23:03:42 UTC 2007

On 19-Jan-07, at 12:40 PM, Ben Laurie wrote:

> On 1/19/07, Scott Kveton <scott at janrain.com> wrote:
>>>> Solving this problem might not be a goal of the OpenID 2.0 Auth  
>>>> spec.
>>>> but surely some attention should be given to mitigating the issue?
>>> Exactly. I wouldn't expect OpenID to _solve_ phishing all on its
>>> lonesome, but making it worse really does strike me as a serious
>>> problem - and one that should cause all security people to recommend
>>> avoiding it like the plague. We should be progressing on  
>>> phishing, not
>>> regressing.
>> I think the suggestions on this list are a great start and I'm  
>> sure we'll
>> see folks starting to implement them soon.
>> Ben: since its clearly not an issue for the spec,
> I do not agree that its not an issue for the spec. As it stands, the
> spec completely washes its hands of this issue, and I don't think
> that's acceptable.
>> do you have any
>> suggestions on how to combat phishing for OpenID's?
> a) Push browser authors to add unphishable auth!

Sure thing! Uhm, got the technology for that ready? :)

Seriously, we're very interested. It's not an easy problem. If I'm  
missing some easy solution that solves this, please hit me over the  
head with it 'cause I'd love nothing more than to drop a bunch of  
these working groups I'm on ...


> b) Drop the religion on plugins in the meantime
> I intend to write some more on mitigation soon.
>>> OTOH, I think this religious attitude that says browser plugins  
>>> are to
>>> be avoided at all costs is wrong-headed. Browser authentication is
>>> broken. Someone has to apply pressure that'll fix that situation!
>> Even browser extensions can be phished.  What about extensions  
>> that do bad
>> things to other extensions?  Trojan extensions?
>> I think there has to be some smarts built into the browser that  
>> can't be
>> affected by installed extensions to really solve this problem.   
>> I'm excited
>> to see Mozilla engaged in this discussion already (thanks Mike for  
>> the links
>> this morning).
> Yes, in an ideal world this kind of stuff will be built into browsers
> s.t. plugins cannot masquerade as it.
>> - Scott
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list