[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

James A. Donald jamesd at echeque.com
Sat Jan 20 03:17:48 UTC 2007

Marcin Jagodzin'ski wrote:
 > OpenID is more vulnerable to phishing than "normal web
 > browsing". But I feel we can use it as an advantage!
 > Plug-in/browser based approach: First we need to find
 > out if the website claims to be an OP. It's easy
 > (isn't it?) Browser can analyze requests and if
 > requests matches OpenID specs, the "final" website
 > after all redirects will be treated as OP ("good" or
 > "bad"). Then it's just a matter of keeping a list of
 > visited OPs (and maybe connecting to list of known
 > "good" OPs and blacklist of phishing OPs).

The plugin should notice if we are logging in to a site
where do not have an existing login.

If the plugin encounters a site where we have an
existing login, it auto logins in, or brings up its own
UI giving the user one click login.

If the plugin encounters a site where we do not have an
existing login, but which asks us to login, gets antsy,
because this something is wrong, possibly phishing.

If the plugin encounters a site asking us to register,
gives us a whole different UI

More information about the general mailing list