[OpenID] Another Client-side Password Phishing Mitigation Idea

Dmitry Shechtman damnian at gmail.com
Sun Jan 21 23:08:25 UTC 2007 

> PS. Posting only to security list.

Isn't phishing a general OpenID issue?
 
> <input type="text" name="opneid">
>
> Just a typo in name, and Identity Manager isn't launched, am I wrong?

You are right, though the RP script won't be able to login either.

> What about Flash and other login forms?

If you have a solution for these, I'd love to hear all about it.

> I don't have anything against making Identity Manager core component.
> But somehow I dont't perceive it as "the only solution".

If a better one exists, I'd love to hear about it as well!


Regards,
Dmitry
=damnian

-----Original Message-----
From: Marcin Jagodziński [mailto:marcin.jagodzinski at gmail.com] 
Sent: Monday, January 22, 2007 00:59
To: Dmitry Shechtman
Cc: security at openid.net
Subject: Re: [OpenID] Another Client-side Password Phishing Mitigation Idea

07-01-21, Dmitry Shechtman <damnian at gmail.com> napisał(a):
> You're blinded by that "phishing is imminent, we must change something in
> the protocol" panic. I didn't see a viable solution in that department, so
I
> think we should concentrate our efforts on the client side.

I don't think I'm blinded. And I do agree, that we should concentrate
efforts on client side.

> > This kind of detection can be is very easily avoided in my opinion.
>
> Please read my comment carefully. The "fuzzy logic" part is only pertinent
> to combo fields. I don't know about the common user, but combo fields are
a
> sacrifice I am willing to make.

<input type="text" name="opneid">

Just a typo in name, and Identity Manager isn't launched, am I wrong?
What about Flash and other login forms?

> Just to make things clear, I'm not implementing an identity manager
plugin.
> I still believe it should be a core browser component, as it is the only
> solution to combine advanced security, *improved* usability (contrary to
> other suggestions we've seen) and CardSpace integration.
>
> I'd really love to hear what the FireFox/IE folks have to say about this.
>
I don't have anything against making Identity Manager core component.
But somehow I dont't perceive it as "the only solution".

regards

Marcin

PS. Posting only to security list.

More information about the general mailing list