[OpenID] Phishing resistant policy of PAPE

Breno de Medeiros breno at google.com
Tue Oct 28 20:17:01 UTC 2008 

On Tue, Oct 28, 2008 at 1:03 PM, Eric Norman <ejnorman at doit.wisc.edu> wrote:
>
> On Oct 28, 2008, at 1:09 PM, Paul Madsen wrote:
>
>>  FYI, PAPE 1.0-07 (the version under public review) [1] no longer
>> defines the phishing resistant policy in this manner.
>>
>>  Instead
>>
>>  "An authentication mechanism where a party potentially under the
>> control of the Relying Party can not gain sufficient information to be
>> able to successfully authenticate to the End User's OpenID Provider as
>> if that party were the End User."
>
> So let's see.
>
> I trick you into going to a site that you think is Amazon.com.
> Then I get you to type in your credit card number, which may
> involve having you type in a user name and password also.  I
> don't care what you type in as a password.  What I care about
> is that I now have your credit card number.
>
> I think this is called a phishing attack.  But according to
> the definition above, it's phishing resistant.  Note that even
> if Amazon uses OpenId, sends you to my real OP and you
> authenticate correctly,  I still can get your credit card
> number.  That's what I really want.  I don't care about getting
> your credentials as long as I can trick you into providing
> something of value.
>
> In other words, the definition above talks about authentication
> of the wrong party.  Either that or folks have some screwey
> notion of what phishing means.

This phishing scenario you describe is not affected at all by use of
OpenID. The attacker site could have asked you to create a username
and password at the site itself and enter your credit card number.
Redirecting to the OP for login is relatively risky (e.g., the OP may
be aware of the phishing attack) and there are many other alternatives
that are simpler to implement if a phishing site wishes to appear
"more credible".

The purpose of the PAPE extension is to allow honest RPs to specify
policies that indicate a higher level of confidence in the signup
procedure of the OP. In particular, it may request that the OP use a
phishing-resistant login procedure. It is NOT the purpose of PAPE to
stop phishing in general, which is an intractable problem.

>
> Eric Norman
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the general mailing list