[OpenID] What is phishing? [was: Phishing resistant policy of PAPE]
David Recordon
drecordon at sixapart.com
Wed Oct 29 14:24:20 UTC 2008
Hey Eric,
Are you trying to deploy OpenID with PAPE in an environment where it
won't work as written? If so, what specifically doesn't work for your
use case(s)?
Thanks,
--David
On Oct 29, 2008, at 7:19 AM, Eric Norman wrote:
>
> On Oct 28, 2008, at 9:08 PM, Martin Atkins wrote:
>
>> Eric Norman wrote:
>>> True enough. And the so-called phishing resistance of OpenID
>>> doesn't
>>> change this. I.e. it doesn't add any different signals that can't
>>> be
>>> faked by evil.com. That's the point; That's why I say the phrase
>>> is misleading.
>>
>> I don't know about anyone else, but I've always understood "phishing
>> resistant" to mean that the authentication mechanism in use cannot be
>> phished at all, even if the user doesn't watch out for the "signals".
>
> Your understanding of phishing is not the same as what it
> says in Wikipedia; it's not even close.
>
> I think it would be useful if all the understandings floating
> around could be more in harmony. (Do not take this as a
> claim the Wikipedia is Gospel).
>
> For starters, how about detailing the distinction between a
> phishing attack and a man-in-the-middle attack? I'll start.
> An essential feature of a phishing attack is that the user
> is an active participant and can be fooled. MITM attacks
> can be effected covertly.
>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list