[OpenID] Another Client-side Password Phishing Mitigation Idea

Tan, William William.Tan at neustar.biz
Mon Jan 22 01:33:56 UTC 2007


Dmitry Shechtman wrote:
> There are a few DISadvantages to this proposal:
>
>     * it works on all password forms, not just for OpenID
>     * it forcefully disrupts the flow of the user
>   
If I understand you correctly, you're criticizing its usability or 
inconvenience. As much as I hate yet another type of pop-up dialog, I 
base my idea on the paper that Mike referred to:
    http://www.simson.net/ref/2006/CHI-security-toolbar-final.pdf
which showed that with modal warning dialogs users exercised more 
caution and phishing was less successful.

In my personal experience, it is a scary thing to post your password to 
an unknown location. There are a few reasons for this:

1. If the current page (that has the password field) is unencrypted, a 
MITM might be present altering the target URL.
2. If both current page and target page are both on plain http URL, you 
get no warning from browser even if they're both very different sites. 
[Unless you are one of those paranoid android who checks the "show me 
everytime" on the "you are submitting information to an insecure 
channel" dialog.]
3. Some login URLs look complicated, so even for a security-aware user, 
it may take more than a glance to decide whether it is trustworthy. e.g. 
us1.f34.auth.bankofamerica.com (fictional)
4. The above may only flash for one second or less, or never shows up on 
the URL bar during a redirect dance. So, you don't even get the chance 
to find out if your password was stolen!

So, with this proposal I'm arguing that all forms with a password field 
should trigger the warning dialog if the target URL is untrusted.

> FUNCTION warning-dialog.onshow()
> 	IF warning-dialog.contains-dont-show-again-checkbox()
> 		dont-show-again-checkbox.select()
> 		ok-button.click
> 		RETURN ok
> 	END IF
> 	IF anti-phishing-mitigation.is-addon()
> 		anti-phishing-mitigation.uninstall()
> 		RETURN ok
> 	END IF
> 	browser.uninstall()
> 	RETURN not-ok
> END FUNCTION
>   
Are you saying this would be the course of action taken by you, the 
user? Well, it's not for everyone. If it irritates you, go ahead and 
deinstall it.

> What's wrong with an identity manager?
>   
I think it's a good idea, and should be explored further. However, I 
agree with Marcin that the fuzzy logic thing probably wouldn't work. 
Well defined <meta> or <link> elements on the OP pages should be 
required in order to allow you to unambiguous detect an OpenID sign on.

Your proposal still suffers from the same downside as mine - malicious 
RP can bypass your UI by *not* calling the OpenID field "openid_url" 
(maybe call it "q") or use a flash form or whatever. Then the user is 
pretty much left on his own to detect "something unusual" about this OP, 
that the Identity Manager did not pop up -- I'm not sure how reliable is 
that.


=wil



More information about the general mailing list