[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

Chris Messina chris.messina at gmail.com
Sat Jan 20 16:07:54 UTC 2007

I want to underscore what Scott's said -- especially around the part
that OpenID will stop and/or prevent phishing. Mike's likening
phishing to XSS or buffer overruns is a great way to think about: it's
simply one of those dark aspects of being on the web that requires a
host of best practices (and sometimes luck) to avoid.

Now, I also want to point out something that I might call
"implementor's behavior" (as opposed to merely the human kind): at the
protocol level where bits and bytes and being sent around and you've
got to implement a high degree of a protocol stack to even play with
others, the same is not true for user interface or experience. And
indeed, to try to dictate how OpenID must look or behave beyond the
bit passing level is going to be an uphill battle... Compounding what
Scott, Mike and others have said about conflating matters outside the
spec into it and causing folks to run away screaming, you're also
going to be faced with the realities of laziness, creativity,
smarter-than-you and plain partial implementation or miscommunication.

So, while I strongly favor clearly explaining how best to implement
front end, user facing interfaces, I also think that we'll be terribly
disappointed by the results in the wild -- that no amount of
enforcement will cure. We're not Microsoft or Google; we can't just
shut off access to a domain or IP because we can't expect that
everyone will share (or agree with) the same white/blacklist.

I guess what this comes down to is a desire, I hate to say it, but to
let the market and iDPs decide how best to serve and educate the
OpenID user. We can force the issue, attemtp to drive its salience,
and continue to improve the CW on fighting phishing, but beyond that,
I feel that it's impossible for us to mandate or legislate matters
that we don't fully understand, don't have the influence to enforce
and may, in reality, be a blow to our focus and credibility by
pursuing it.

This conversation *is* fascinating, necessary and worthwhile, but we
should also keep our expectations and the degree to which this
thinking should end up in the spec, in check.


On 1/20/07, Scott Kveton <scott at janrain.com> wrote:
> >> Phishing is a _huge_ problem ... By huge I don't mean its happening all
> over
> >> the place, I mean its an the-Internet-Sucks problem.  That alone is
> reason
> >> enough to leave it as out-of-scope for OpenID.
> >
> > No one expects OpenID to make phishing go away.  I understand that.
> > But OpenID exacerbates phishing, and that has to be acknowledged.
> Well, you quoted only part of what I wrote.  The second half went on to say
> that authentication is out-of-scope because there will be many ways to
> authenticate via OpenID ... Not just from redirects to forms.
> I'm with the others on this list that have said the following:
> 1) OpenID will not solve phishing
> 2) To limit the problem, we'll need a set of best practices for OP's
> 3) There is no silver bullet for solving phishing and users will want to
> choose what level of security they want; we can't mandate any of this or
> we'll lose the very value of what makes OpenID great.
> I think that the suggestions on this list, taken together, provide quite a
> defense against phishing.
> - Scott
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

Chris Messina
Citizen Provocateur &
  Open Source Ambassador-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412 225-1051
Skype: factoryjoe
This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the general mailing list