[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Scott Kveton scott at janrain.com
Sat Jan 20 04:25:14 UTC 2007

>> Seriously, we're very interested. It's not an easy
>> problem. If I'm missing some easy solution that solves
>> this, please hit me over the head with it 'cause I'd
>> love nothing more than to drop a bunch of these
>> working groups I'm on ...
> Short answer.  Passpet.  Longer answer, passpet plus
> SRP.

Is Petname also something along the same lines?  I see that it is Firefox
2.0 compatible:


Both Passpet and Petname appear to be like a local "site seal" ... You put a
user-defined comment/note for the site and if you see that come up when
you're entering the site, then you're good to go.  This is actually quite
nice as it relates to OpenID because instead of having loads and loads of
comments/notes, one for each site, you could just have one for your OpenID
provider.  This would make remembering it that much easier.
> SRP is the final solution to phishing for shared
> secrets.
> SRP (http://srp.stanford.edu/) is a cryptographic
> technology for password based mutual authentication.
> Instead of one party who knows the password proving his
> identity by giving the shared secret to the other party,
> both parties prove knowledge of the shared secret
> without revealing the it to each other - so phishing an
> SRP login does the phisher no good.
> Of course, for this to work, the SRP login has to come
> up in unforgeable browser chrome, as basic and digest
> access authentication does, not in the possibly hostile
> web site's login page, thus requires a change in the
> browser itself, or a browser extension.  It also amounts
> to a change in http specification, supplementing RFC
> 2617 (HTTP Authentication: Basic and Digest Access
> Authentication) requiring corresponding changes in web
> servers, in particular requiring a new apache module,
> which we would hope would eventually be incorporated
> into apache.

Is SRP really applicable for OpenID at this time?  You're talking about
patent trolls and changing the HTTP specification.  That seems a little
farther out than I want to consider (especially when it comes to the OpenID
2.0 specification).  If those challenges are overcome, then maybe then we
could hook Passpet/Petname to SRP and be done with it.

What about doing a Passpet/Petname option but built into the browser?

- Scott

More information about the general mailing list