[OpenID] OpenID and phishing (wasAnnouncingOpenIDAuthentication 2.0 - Implementor's Draft 11)

Mike Beltzner beltzner at mozilla.com
Sat Jan 20 14:54:24 UTC 2007


I think that it may be beneficial to strengthen OpenID's requirements for securing the user-OP channel for phishing, or as others have suggested, linking to another document with best practises, etc. Perhaps even for the RP-OP redirect. 

As said before, though, that would be *part* of a suite of browser-based phishing protection technologies. I think that phishing protection will become, like XSS and buffer-overrun, just code/spec security "must-prevent" cross-cutting features. Where I get worried (and thankfully, I've not seen it proposed!) is when people start to conflate the goals of OpenID with those of phishing protection such that "OpenID solves phishing."

mike, the worry-wart
-----Original Message-----
From: "Gabe Wachob" <gabe.wachob at amsoft.net>
Date: Fri, 19 Jan 2007 16:26:47 
To:"'Bob Wyman'" <bob at wyman.us>,       "'Gavin Baumanis'" <gavin.baumanis at rmit.edu.au>
Cc:"'openid-general'" <general at openid.net>
Subject: Re: [OpenID] OpenID and phishing (was
	AnnouncingOpenIDAuthentication 2.0 - Implementor's Draft 11)

Phishing (and pharming) is only an issue for *some* ways of authenticating to an OP. 
The practical issue today is that most OP’s have no better way of authenticating a user than phishable username/password login screens. However, OpenID (the protocol) is intended to support (practically) any form of authentication that an OP chooses to use. It is entirely possible to use, for example, token-based authentication that isn’t susceptible to the same phishing attacks. 
My hope was that OpenID as a protocol would get launched in parallel with innovation in authentication mechanisms – including (of course) anti-phishing mechanisms for sites using plain old username/password. 
I would hate for OpenID to be shot down in whole because of the special exposure it has to phishing in the simple deployment scenario which dominates today. I just want to make sure we don’t forget that enabling authentication innovation is a key driver for OpenID, at least for some of us.
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Bob Wyman
 Sent: Friday, January 19, 2007 4:06 PM
 To: Gavin Baumanis
 Cc: openid-general
 Subject: Re: [OpenID] OpenID and phishing (was AnnouncingOpenIDAuthentication 2.0 - Implementor's Draft 11)
On 1/19/07, Gavin Baumanis <gavin.baumanis at rmit.edu.au: <mailto:gavin.baumanis at rmit.edu.au> > wrote:
> I think not addressing [Phishing] in the spec ... is not a wise decision... 
 I keep gettting the sense that somehow people seem to think that "not addressing phishing in the spec" is the same as "not addressing phishing." But, phishing can certainly be addressed in a distinct document and the two documents can then be linked together. By having two related documents, we can "address phishing" without addressing it in the spec. Actually, I think doing it that way would make a great deal of sense -- It's a standard separation of concerns. 
 bob wyman
general mailing list
general at openid.net

More information about the general mailing list