[security] Phishing: browser intercept on redirect (was Phishing: Bookmarks to the rescue?)

[S. Sriram]

Hi,

How about having the browser track the open id session
and throw up a dialog on redirect if it comes across an unknown
(to this user) openid server. The dialog requests user verification
to whitelist the openid server and subsequent redirects to
it would be passed through. The only way though that the
browser can verifiably track an OpenId session is if it
were to be instantiated by the user. Say, by the user clicking on an OpenId
button on the browser toolbar that auto-populates his OpenId in
the appropriate form field and than listens for subsequent redirects from 
the
RP.

Thanks
S. Sriram
----- Original Message ----- 
From: "Ka-Ping Yee" <openid at zesty.ca>
To: <security at openid.net>
Sent: Saturday, January 20, 2007 4:53 PM
Subject: [security] Phishing: Bookmarks to the rescue?


> In the shower today I thought of an approach (which is an extension
> of Simon Willison's proposal) that could make a dent in the OpenID
> phishing problem.  Upon re-reading Simon's post I realized that the
> discussion on the post was headed in a similar direction.
>
> In short, the provider asks users to bookmark the login page, and
> tells them to always use the bookmark to log in.  The provider never
> shows a login form in response to any request that contains a
> Referer: header -- instead, it warns users always to use the bookmark.
>
> I've explained it in more detail on my blog:
>
>    http://usablesecurity.com/2007/01/20/phishing-and-openid/
>
> Bookmarks have previously not been an adequate response to phishing
> because users would have to create bookmarks for every site they
> use.  But in combination with OpenID, the bookmark approach becomes
> much more feasible.  What do you think?
>
>
> -- ?!ng
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security