[OpenID] [security] Another Client-side Password Phishing Mitigation Idea

Marcin Jagodziński marcin.jagodzinski at gmail.com
Sun Jan 21 18:35:57 UTC 2007

Maybe I don't understand this correctly, but... well the author of
this noticed this too:

"phisher can replace the password input field with javascript / DHTML
/ flash to bypass the check"

That's right. In my opinion you have to both: change the UI on every
page that claims to be an OP (or includes "password" field, although I
think it's too broad) AND warn user if OP is suspicious. This is the
missing part of this idea. If "phisher" wants to trick the plugin by
not using the "password" field, we should just let him do this. And
make the user to see the difference.



2007/1/21, Tan, William <William.Tan at neustar.biz>:
> This is a combination of techniques that may mitigate password phishing:
> combine a whitelist + warning pop-up with prominent display of target
> domain and a time-delayed button.
> http://dready.org/blog/2007/01/22/browser-based-mitigation-of-phishing-attacks/
> Comments are most welcome.
> =wil
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security

More information about the general mailing list