[OpenID] OpenID and phishing (was AnnouncingOpenIDAuthentication 2.0 - Implementor's Draft 11)

Marcin Jagodziński marcin.jagodzinski at gmail.com
Sat Jan 20 16:27:46 UTC 2007


there are two sides: OP / UA. In my opinion it would be good, if we write that

"OP MUST contain [...] markup which can be read by UA to distinguish
it from other login pages"


"UA MAY use it to present some special GUI and take other steps to
prevent phishing" (or maybe SHOULD).

The first sentence is easy to implement (and this markup can be also
used by RP to check if it's OP or some "other" page, maybe it should
not be inline markup but separate file?)

It won't slow down the rate of adoption, it's only mandatory from OP
side. Maybe the last sentence should contain "MAY" in 2.0 and "SHOULD"
in 2.1. We don't have to wait for UA-makers to make changes, but we
MUST give them a chance.

Writing a plugin that check every page ("maybe this is a login form so
we should warn the user...") and warning users ("hello, you're
submitting something which looks like login / password, is it your
identity provider page?") is not efficient. There's a warning about
summiting a form already built-in in browsers. With very useful option
"[ ] Don't show it again". I almost forgot about this "security
measure" :)

And in my opinion this is the one and only place where "phishing"
should be mentioned in specification.



> I know Dick floated the idea of having a bit of markup that can be detected
> by the UA to initiate some UI change to make it clear that the user is
> logging into their OP.  I like the idea as long as its not a MUST.  The
> reason I don't like the MUST is that I'm afraid that getting support for it
> in every UA (phones, browsers, etc) will take time and stunt adoption of
> OpenID.
> > How will UA reflect the fact that user is browsing site which claims
> > to be OP: this is up to
> > UA implementation.
> >
> > But I strongly feel that OP should inform the UA about being an OP and
> > this should be part of OpenID spec.
> Let's all not forget that the best part about OpenID 2.0 is that there will
> be an OpenID 2.1, 3.0 ... Maybe even XP, Vista or 2008 (I kid).  Putting a
> requirement like the above on OpenID 2.0 will halt adoption ... We can't
> demand that browsers and other user agents change before we move forward

More information about the general mailing list