[OpenID] [security] MyOpenID anti-phishing tools ...

Mike Glover mpg4 at janrain.com
Wed Jan 24 17:16:55 UTC 2007


SafeSignin will prevent you from entering your password if you've been 
redirected from another website.  To try it out:

  * go to myopenid.com/settings
  * check the 'Activate SafeSignin...' box
  * log out of MyOpenID
  * try to use your MyOpenID to log in somewhere

Instead of being asked for your password, you should get a screen 
telling you to use your bookmark to log in.

The Personal Icon is tied to a cookie that will be sent to 
[anything].myopenid.com.  We look up the image based on that cookie, and 
serve the image back to you.


Marcin Jagodziński wrote:
> Scott,
> I don't quite get SafeSignIn. I have a weblog (nettoblog.com) that is
> OpenID enabled. I've entered reuptake.myopenid.com identifier as
> login. Then I had to enter URL in Location bar. The I logged in...
> and? What's next? I expected something like:
> "A site identifying as http://nettoblog.com  has asked us for
> confirmation that http://reuptake.myopenid.com/  is your identity URL.
>  nettoblog.com also asked for additional information. It did not
> provide a link to the policy on data it collects"
> How can I login to weblog using SafeSignIn and MyOpenID?
> And second question: what you mean by "personalized image for MyOpenID that is
> not tied to your account"? Does it means that it's stored in cookie
> readable by myopenin.com not reuptake.myopenid.com?
> regards,
> Marcin
> 2007/1/24, Scott Kveton <scott at janrain.com>:
>> Inspired by a lot of the discussion happening here on the mailing lists
>> (yes, I'm cross-posting, I think its applicable) we've gone and implemented
>> two new features on MyOpenID.com to help fight phishing:
>> * Personal Icon: Allows you to set a personalized image for MyOpenID that is
>> not tied to your account that is only visible from the browser you install
>> it on.  This helps you with a visual clue on when you might be getting
>> phished.
>> * SafeSignIn: Inspired by Simon Willison, we created an option that allows
>> users to not be redirected to a password screen from another site.  You are
>> presented with a dialog that asks you to navigate to the page via a bookmark
>> or enter the address manually in the address bar.
>> We wanted to get something up quickly while we discuss options for the
>> specification/appendix/etc to make sure our users are as secure as they can
>> be.
>> You can read more about it here:
>> http://kveton.com/blog/?p=211
>> We'd love to hear thoughts from folks on these new tools,
>> - Scott
>> _______________________________________________
>> security mailing list
>> security at openid.net
>> http://openid.net/mailman/listinfo/security
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list