[OpenID] OpenID and phishing (was Announcing OpenIDAuthentication 2.0 - Implementor's Draft 11)

Tan, William William.Tan at neustar.biz
Sun Jan 21 12:17:08 UTC 2007

Ka-Ping Yee wrote:
> On Sat, 20 Jan 2007, James A. Donald wrote:
>> SRP is the final solution to phishing for shared secrets.
> It's a fairly final solution to phishing for *passwords*.
> Unfortunately, phishing is a broader problem than that.
> If I can fool you into thinking that my site is your bank,
> I can still ask you for all sorts of personal information,
> regardless of what login protocol your bank uses.
> Phishing is an identification problem ("which site am i at?")
Any chance you can release an installable extension for Passpet rather 
than having to check out from CVS? Is it updated for FF2?

> SRP solves *login*.  It doesn't solve identification -- no
> protocol can, because identification is a UI problem.
> Passpet (mainly) attacks the UI problem (it also tries to
> improve the situation on the login front, but there's a
> limit to how much you can improve that while remaining
> compatible with today's username-and-password sites.)
Right, but other than the petname indicator, how can Passpet protect one 
from entering non-password data into a malicious site? I believe the 
average Joe might not actually assign one to sites unless they're forced to.


More information about the general mailing list