[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Gavin Baumanis gavin.baumanis at rmit.edu.au
Fri Jan 19 23:56:01 UTC 2007

Scott  - and everyone else on the list....
My query is at your comment (Scott) of 
>>Ben: since its clearly not an issue for the spec, do you have any
>>suggestions on how to combat phishing for OpenID's?
Firstly - I don't have an answer - I don't even have a vague
I completely understand that it is not an OpenId issue. - it effects
all www traffic.
Now for the possibility of completely embarrassing myself - due to lack
of knowledge;
How can it be considered out of spec for OpenId, if the mechanics of
OpenId authentication seem to assist phishing?
I clearly see it being something that can hold up the official release
of OpenId 2.0 for a pretty lengthy time - and I realise nobody wants
that to happen. 
I take onboard the thoughts of others on the list of not getting bogged
down in attribute exchange etc, to the detriment of the 2.0 spec. that
those things should be treated separately and the spec should get the
"final release" that everyone wants.
It just seems a little naive / slack, even, to take the attitude that
since phishing is such a big issue and since OpenId isn't the only
technology effected by it - then we shouldn't get involved in it. - Now,
I realise that no one is suggesting that either.... but I think not
addressing it in the spec - considering OpenID "almost" lends itself to
a phishing attack is not a wise decision either.
I could be completely wrong - and would truly appreciate to be pointed
in the right direction - if I have it wrong.

>>> On Saturday, January 20, 2007 at 04:30, in message
<C1D6404B.27172%scott at janrain.com>, Scott Kveton <scott at janrain.com>
>> Solving this problem might not be a goal of the OpenID 2.0 Auth
>> but surely some attention should be given to mitigating the issue?
> Exactly. I wouldn't expect OpenID to _solve_ phishing all on its
> lonesome, but making it worse really does strike me as a serious
> problem - and one that should cause all security people to recommend
> avoiding it like the plague. We should be progressing on phishing,
> regressing.

I think the suggestions on this list are a great start and I'm sure
see folks starting to implement them soon.

Ben: since its clearly not an issue for the spec, do you have any
suggestions on how to combat phishing for OpenID's?

> OTOH, I think this religious attitude that says browser plugins are
> be avoided at all costs is wrong-headed. Browser authentication is
> broken. Someone has to apply pressure that'll fix that situation!

Even browser extensions can be phished.  What about extensions that do
things to other extensions?  Trojan extensions?

I think there has to be some smarts built into the browser that can't
affected by installed extensions to really solve this problem.  I'm
to see Mozilla engaged in this discussion already (thanks Mike for the
this morning).

- Scott

general mailing list
general at openid.net 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070120/11b8022e/attachment-0002.htm>

More information about the general mailing list