[OpenID] Why spoofing and OpenID look so much alike

[Allen Tom]

Hi Shade,

In the ideal scenario, the user is already logged into their OP, so 
there is no need for the user to re-enter their password, unless 
additional security is required (via the PAPE extension).

For instance, Yahoo users are usually persistently signed in order to 
check their email, or to use other services on the Yahoo network. 
Presumably, other OPs may already have an engaged userbase, and their 
users are often signed in to their OP's site before signing into other 
sites using their OpenID.

If the user is usually signed into their OP before using OpenID, then we 
might be able to train users to think that entering their password is a 
special event, which requires vigilance and caution. Education and 
evangelism against the password/phishing anti-pattern could go a long 
ways to prevent phishing.

Yahoo's Login Screen encourages users to setup a customized Sign-in seal 
to make it easier to recognize the real Yahoo Login screen. While 
there's still plenty to be done to educate mainstream users about the 
perils of phishing, we do have a lightweight anti-phishing solution 
available for users who do understand phishing, and are willing to put a 
little bit of effort into customizing their Login screen.

More information about the Yahoo Sign-in Seal is here: 
http://protect.login.yahoo.com/ and we encourage all users to set one up.

Allen



SitG Admin wrote:
>  Reviewing this a few minutes ago, I realized that OpenID 
> really does look a lot like phishing:
>
> Phishing: the user sees a site that looks exactly like their regular 
> login screen, but this isn't their login site.
> OpenID: the user sees a site that looks exactly like their regular 
> login screen, because it IS their login site.
>
>