[security] Phishing: Bookmarks to the rescue?
Dick Hardt
dick at sxip.com
Sun Jan 21 06:26:19 UTC 2007
Hi Ka-Ping
The MITM attack allows the bad guy to modify any headers being sent
to the real OP, including the Referer: header. An unsuspecting user
will just type in their credentials as they will see the usual
prompt, forgetting they are supposed to go to the OP via the
bookmark. So unfortunately this solution is easily defeated.
-- Dick
On 20-Jan-07, at 4:53 PM, Ka-Ping Yee wrote:
> In the shower today I thought of an approach (which is an extension
> of Simon Willison's proposal) that could make a dent in the OpenID
> phishing problem. Upon re-reading Simon's post I realized that the
> discussion on the post was headed in a similar direction.
>
> In short, the provider asks users to bookmark the login page, and
> tells them to always use the bookmark to log in. The provider never
> shows a login form in response to any request that contains a
> Referer: header -- instead, it warns users always to use the bookmark.
>
> I've explained it in more detail on my blog:
>
> http://usablesecurity.com/2007/01/20/phishing-and-openid/
>
> Bookmarks have previously not been an adequate response to phishing
> because users would have to create bookmarks for every site they
> use. But in combination with OpenID, the bookmark approach becomes
> much more feasible. What do you think?
>
>
> -- ?!ng
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
>
More information about the security
mailing list