[OpenID] [security] Another Client-side Password Phishing Mitigation Idea

Chris Drake christopher at pobox.com
Mon Jan 22 04:23:37 UTC 2007


Hi All,

Read my proposals from about 3 months back.  I explained how plugins
will need to recognize OpenID login pages.  I proposed the technical
solution. It's the same concept as "IdP initiated logins" (since
something else besides the RP web page initiates the login - eg - the
browser plugin). 

Be warned - my proposal got flamed and ignored.

A few times subsequent to my proposal, I requested someone correlate
all the proposals - again - this hasn't happened, so now we find
ourselves back in a loop discussing the same things again.

IMHO - OpenID needs to have hooks to let anti-phishing technology
evolve, otherwise both will die off (succumbing to InfoCard)

Kind Regards,
Chris Drake,
=1id.com


Monday, January 22, 2007, 5:35:57 AM, you wrote:

MJ> Maybe I don't understand this correctly, but... well the author of
MJ> this noticed this too:

MJ> "phisher can replace the password input field with javascript / DHTML
MJ> / flash to bypass the check"

MJ> That's right. In my opinion you have to both: change the UI on every
MJ> page that claims to be an OP (or includes "password" field, although I
MJ> think it's too broad) AND warn user if OP is suspicious. This is the
MJ> missing part of this idea. If "phisher" wants to trick the plugin by
MJ> not using the "password" field, we should just let him do this. And
MJ> make the user to see the difference.

MJ> regards

MJ> Marcin

MJ> 2007/1/21, Tan, William <William.Tan at neustar.biz>:
>> This is a combination of techniques that may mitigate password phishing:
>> combine a whitelist + warning pop-up with prominent display of target
>> domain and a time-delayed button.
>>
>> http://dready.org/blog/2007/01/22/browser-based-mitigation-of-phishing-attacks/
>>
>> Comments are most welcome.
>>
>> =wil
>> _______________________________________________
>> security mailing list
>> security at openid.net
>> http://openid.net/mailman/listinfo/security
>>
MJ> _______________________________________________
MJ> general mailing list
MJ> general at openid.net
MJ> http://openid.net/mailman/listinfo/general






More information about the general mailing list