[OpenID] What is phishing? [was: Phishing resistant policy of PAPE]
Eric Norman
ejnorman at doit.wisc.edu
Wed Oct 29 14:19:43 UTC 2008
On Oct 28, 2008, at 9:08 PM, Martin Atkins wrote:
> Eric Norman wrote:
>> True enough. And the so-called phishing resistance of OpenID doesn't
>> change this. I.e. it doesn't add any different signals that can't be
>> faked by evil.com. That's the point; That's why I say the phrase
>> is misleading.
>
> I don't know about anyone else, but I've always understood "phishing
> resistant" to mean that the authentication mechanism in use cannot be
> phished at all, even if the user doesn't watch out for the "signals".
Your understanding of phishing is not the same as what it
says in Wikipedia; it's not even close.
I think it would be useful if all the understandings floating
around could be more in harmony. (Do not take this as a
claim the Wikipedia is Gospel).
For starters, how about detailing the distinction between a
phishing attack and a man-in-the-middle attack? I'll start.
An essential feature of a phishing attack is that the user
is an active participant and can be fooled. MITM attacks
can be effected covertly.
Eric Norman
More information about the general
mailing list