[OpenID] Another Client-side Password Phishing Mitigation Idea
Tan, William
William.Tan at neustar.biz
Mon Jan 22 01:33:56 UTC 2007
Dmitry Shechtman wrote:
> There are a few DISadvantages to this proposal:
>
> * it works on all password forms, not just for OpenID
> * it forcefully disrupts the flow of the user
>
If I understand you correctly, you're criticizing its usability or
inconvenience. As much as I hate yet another type of pop-up dialog, I
base my idea on the paper that Mike referred to:
http://www.simson.net/ref/2006/CHI-security-toolbar-final.pdf
which showed that with modal warning dialogs users exercised more
caution and phishing was less successful.
In my personal experience, it is a scary thing to post your password to
an unknown location. There are a few reasons for this:
1. If the current page (that has the password field) is unencrypted, a
MITM might be present altering the target URL.
2. If both current page and target page are both on plain http URL, you
get no warning from browser even if they're both very different sites.
[Unless you are one of those paranoid android who checks the "show me
everytime" on the "you are submitting information to an insecure
channel" dialog.]
3. Some login URLs look complicated, so even for a security-aware user,
it may take more than a glance to decide whether it is trustworthy. e.g.
us1.f34.auth.bankofamerica.com (fictional)
4. The above may only flash for one second or less, or never shows up on
the URL bar during a redirect dance. So, you don't even get the chance
to find out if your password was stolen!
So, with this proposal I'm arguing that all forms with a password field
should trigger the warning dialog if the target URL is untrusted.
> FUNCTION warning-dialog.onshow()
> IF warning-dialog.contains-dont-show-again-checkbox()
> dont-show-again-checkbox.select()
> ok-button.click
> RETURN ok
> END IF
> IF anti-phishing-mitigation.is-addon()
> anti-phishing-mitigation.uninstall()
> RETURN ok
> END IF
> browser.uninstall()
> RETURN not-ok
> END FUNCTION
>
Are you saying this would be the course of action taken by you, the
user? Well, it's not for everyone. If it irritates you, go ahead and
deinstall it.
> What's wrong with an identity manager?
>
I think it's a good idea, and should be explored further. However, I
agree with Marcin that the fuzzy logic thing probably wouldn't work.
Well defined <meta> or <link> elements on the OP pages should be
required in order to allow you to unambiguous detect an OpenID sign on.
Your proposal still suffers from the same downside as mine - malicious
RP can bypass your UI by *not* calling the OpenID field "openid_url"
(maybe call it "q") or use a flash form or whatever. Then the user is
pretty much left on his own to detect "something unusual" about this OP,
that the Identity Manager did not pop up -- I'm not sure how reliable is
that.
=wil
More information about the general
mailing list