[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)
openid at zesty.ca
Sat Jan 20 10:18:43 UTC 2007
On Sat, 20 Jan 2007, James A. Donald wrote:
> Short answer. Passpet. Longer answer, passpet plus SRP.
I'm glad you like the UI ideas in Passpet.
> SRP is the final solution to phishing for shared secrets.
It's a fairly final solution to phishing for *passwords*.
Unfortunately, phishing is a broader problem than that.
If I can fool you into thinking that my site is your bank,
I can still ask you for all sorts of personal information,
regardless of what login protocol your bank uses.
Phishing is an identification problem ("which site am i at?")
SRP solves *login*. It doesn't solve identification -- no
protocol can, because identification is a UI problem.
Passpet (mainly) attacks the UI problem (it also tries to
improve the situation on the login front, but there's a
limit to how much you can improve that while remaining
compatible with today's username-and-password sites.)
More information about the general