[OpenID] Phishing resistant policy of PAPE
Eric Norman
ejnorman at doit.wisc.edu
Tue Oct 28 20:31:21 UTC 2008
On Oct 28, 2008, at 3:17 PM, Breno de Medeiros wrote:
> On Tue, Oct 28, 2008 at 1:03 PM, Eric Norman <ejnorman at doit.wisc.edu>
> wrote:
>>
>> On Oct 28, 2008, at 1:09 PM, Paul Madsen wrote:
>>
>>> FYI, PAPE 1.0-07 (the version under public review) [1] no longer
>>> defines the phishing resistant policy in this manner.
>>>
>>> Instead
>>>
>>> "An authentication mechanism where a party potentially under the
>>> control of the Relying Party can not gain sufficient information to
>>> be
>>> able to successfully authenticate to the End User's OpenID Provider
>>> as
>>> if that party were the End User."
>>
>> So let's see.
>>
>> I trick you into going to a site that you think is Amazon.com.
>> Then I get you to type in your credit card number, which may
>> involve having you type in a user name and password also. I
>> don't care what you type in as a password. What I care about
>> is that I now have your credit card number.
>>
>> I think this is called a phishing attack. But according to
>> the definition above, it's phishing resistant. Note that even
>> if Amazon uses OpenId, sends you to my real OP and you
>> authenticate correctly, I still can get your credit card
>> number. That's what I really want. I don't care about getting
>> your credentials as long as I can trick you into providing
>> something of value.
>>
>> In other words, the definition above talks about authentication
>> of the wrong party. Either that or folks have some screwey
>> notion of what phishing means.
>
> This phishing scenario you describe is not affected at all by use of
> OpenID. ...
Right. That's part of the point.
> The purpose of the PAPE extension is to allow honest RPs to specify
> policies that indicate a higher level of confidence in the signup
> procedure of the OP. In particular, it may request that the OP use a
> phishing-resistant login procedure. It is NOT the purpose of PAPE to
> stop phishing in general, which is an intractable problem.
So why use the misleading label "phishing-resistant"? It offers
no resistance to the phishing attack above. It would be more
accurate to call it "Ben Laurie attack resistance".
Eric Norman
More information about the general
mailing list