[OpenID] A couple of questions regarding OpenID...
Eric Norman
ejnorman at doit.wisc.edu
Fri Feb 1 04:38:23 UTC 2008
On Jan 31, 2008, at 6:17 PM, Eddy Nigg (StartCom Ltd.) wrote:
> Per Ekström wrote:
>>
>> My first question is regarding the Phishing attacks that are
>> mentioned at Wikipedia [1] - Are they still valid or is it just
>> FUD that has been floating around since an old version of the
>> standard?
> I guess that's correct, as with anything that uses a user name and
> password for authentication. There is no difference of a phishing
> attempt of an online banking web site and an IDP, with different
> results perhaps. Phishing of banking sites will cost somebody
> money, whereas with OpenID it might be used for spamming and
> identity theft (whatever that implies).
And let's not forget the phishing attacks where the relying party is
a rogue but the OpenID provider is genuine. A miscreant may not
be able to swipe credentials that way, but may still acquire something
of value.
Eric Norman
More information about the general
mailing list