[OpenID] Another Client-side Password Phishing Mitigation Idea
damnian at gmail.com
Sun Jan 21 23:08:25 UTC 2007
> PS. Posting only to security list.
Isn't phishing a general OpenID issue?
> <input type="text" name="opneid">
> Just a typo in name, and Identity Manager isn't launched, am I wrong?
You are right, though the RP script won't be able to login either.
> What about Flash and other login forms?
If you have a solution for these, I'd love to hear all about it.
> I don't have anything against making Identity Manager core component.
> But somehow I dont't perceive it as "the only solution".
If a better one exists, I'd love to hear about it as well!
From: Marcin Jagodziński [mailto:marcin.jagodzinski at gmail.com]
Sent: Monday, January 22, 2007 00:59
To: Dmitry Shechtman
Cc: security at openid.net
Subject: Re: [OpenID] Another Client-side Password Phishing Mitigation Idea
07-01-21, Dmitry Shechtman <damnian at gmail.com> napisał(a):
> You're blinded by that "phishing is imminent, we must change something in
> the protocol" panic. I didn't see a viable solution in that department, so
> think we should concentrate our efforts on the client side.
I don't think I'm blinded. And I do agree, that we should concentrate
efforts on client side.
> > This kind of detection can be is very easily avoided in my opinion.
> Please read my comment carefully. The "fuzzy logic" part is only pertinent
> to combo fields. I don't know about the common user, but combo fields are
> sacrifice I am willing to make.
<input type="text" name="opneid">
Just a typo in name, and Identity Manager isn't launched, am I wrong?
What about Flash and other login forms?
> Just to make things clear, I'm not implementing an identity manager
> I still believe it should be a core browser component, as it is the only
> solution to combine advanced security, *improved* usability (contrary to
> other suggestions we've seen) and CardSpace integration.
> I'd really love to hear what the FireFox/IE folks have to say about this.
I don't have anything against making Identity Manager core component.
But somehow I dont't perceive it as "the only solution".
PS. Posting only to security list.
More information about the general