[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Marcin Jagodziński marcin.jagodzinski at gmail.com
Sat Jan 20 00:20:52 UTC 2007 

OpenID is more vulnerable to phishing than "normal web browsing". But
I feel we can use it as an advantage!

Plug-in/browser based approach: First we need to find out if the
website claims to be an OP. It's easy (isn't it?) Browser can analyze
requests and if requests matches OpenID specs, the "final" website
after all redirects will be treated as OP ("good" or "bad"). Then it's
just a matter of keeping a list of visited OPs (and maybe connecting
to list of known "good" OPs and blacklist of phishing OPs).

If it claims to be an OP and user has not visited it before, the HUGE
alert before submiting any form should pop up: "This [URL] webpage
claims to be your Identity Provider. But it seems you've never used it
before. [Optional: if not on whitelist: What's even more suspicious:
very few users used it before]. Please check its address very
carefully and submit your password only if you're 101% sure that this
is your Identity Provider"

What do you think about it? We do not need a total antiphishing
solution (so repeating that "OpenID is vulnerable in the same way
every webpage is" won't help us). My method can't protect you from
entering phishing OP directly, but it's outside our scenario.


regards,

Marcin

2007/1/20, Gavin Baumanis <gavin.baumanis at rmit.edu.au>:
>
>
> Scott  - and everyone else on the list....
>
> My query is at your comment (Scott) of
>
> >>Ben: since its clearly not an issue for the spec, do you have any
> >>suggestions on how to combat phishing for OpenID's?
>
> Firstly - I don't have an answer - I don't even have a vague suggestion...
> I completely understand that it is not an OpenId issue. - it effects all www
> traffic.
>
> Now for the possibility of completely embarrassing myself - due to lack of
> knowledge;
>
> How can it be considered out of spec for OpenId, if the mechanics of OpenId
> authentication seem to assist phishing?
> I clearly see it being something that can hold up the official release of
> OpenId 2.0 for a pretty lengthy time - and I realise nobody wants that to
> happen.
>
> I take onboard the thoughts of others on the list of not getting bogged down
> in attribute exchange etc, to the detriment of the 2.0 spec. that those
> things should be treated separately and the spec should get the "final
> release" that everyone wants.
>
> It just seems a little naive / slack, even, to take the attitude that since
> phishing is such a big issue and since OpenId isn't the only technology
> effected by it - then we shouldn't get involved in it. - Now, I realise that
> no one is suggesting that either.... but I think not addressing it in the
> spec - considering OpenID "almost" lends itself to a phishing attack is not
> a wise decision either.
>
> I could be completely wrong - and would truly appreciate to be pointed in
> the right direction - if I have it wrong.
>
> =gavin.baumanis
>
>
> >>> On Saturday, January 20, 2007 at 04:30, in message
> <C1D6404B.27172%scott at janrain.com>, Scott Kveton
> <scott at janrain.com> wrote:
>
> >> Solving this problem might not be a goal of the OpenID 2.0 Auth spec.
> >> but surely some attention should be given to mitigating the issue?
> >
> > Exactly. I wouldn't expect OpenID to _solve_ phishing all on its
> > lonesome, but making it worse really does strike me as a serious
> > problem - and one that should cause all security people to recommend
> > avoiding it like the plague. We should be progressing on phishing, not
> > regressing.
>
> I think the suggestions on this list are a great start and I'm sure we'll
> see folks starting to implement them soon.
>
> Ben: since its clearly not an issue for the spec, do you have any
> suggestions on how to combat phishing for OpenID's?
>
> > OTOH, I think this religious attitude that says browser plugins are to
> > be avoided at all costs is wrong-heade! d. Browser authentication is
> > broken. Someone has to apply pressure that'll fix that situation!
>
> Even browser extensions can be phished.  What about extensions that do bad
> things to other extensions?  Trojan extensions?
>
> I think there has to be some smarts built into the browser that can't be
> affected by installed extensions to really solve this problem.  I'm excited
> to see Mozilla engaged in this discussion already (thanks Mike for the links
> this morning).
>
> - Scott
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>

More information about the general mailing list