[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

Marcin Jagodziński marcin.jagodzinski at gmail.com
Fri Jan 19 23:26:30 UTC 2007

There is partial solution for "stolen cookie problem": use not cookie
value, but a digest of it, generated using secret key stored on
server. Eg. cookie has value "What's your favorite movie" which gives
some hash on server (and this hash is a key to a server stored answer:
"James Bond series").

This is far from perfect, but I feel it reduces problem by magnitude.
If cookie is stolen, the phisher agent can pass it to proper server,
fetch the answer and then present this answer to  user. But it's "user
targeted" trap, not "server targeted".



2007/1/19, George Fletcher <gffletch at aol.com>:
>  My concern with this is that it requires users to allow persistent cookies.
>  This seems inherently insecure, what with hacks to read stored cookies,
> etc.  I pretty much only allow cookies for a session (and hence pretty much
> just use firefox or camino nightly builds that support this functionality).
> For the majority of users, knowing when it is ok to allow persistent cookies
> and when not to is going to be way to complicated to deal with.
>  Maybe the OpenID/Mozilla integration could address this by allowing
> persistent cookies for the OpenID Providers registered with the browser.

More information about the general mailing list