[security] Phishing: Bookmarks to the rescue?
Ka-Ping Yee
openid at zesty.ca
Sun Jan 21 07:31:58 UTC 2007
On Sat, 20 Jan 2007, Dick Hardt wrote:
> Hi Ka-Ping
Hi, Dick!
> The MITM attack allows the bad guy to modify any headers being sent
> to the real OP, including the Referer: header. An unsuspecting user
> will just type in their credentials as they will see the usual
> prompt, forgetting they are supposed to go to the OP via the
> bookmark. So unfortunately this solution is easily defeated.
The solution is defeated if the user enters credentials without
using the bookmark.
The hypothesis is that a user who chooses BookmarkID will be better
at remembering to use the bookmark. This won't work for everyone,
but I think it might work pretty well for some of us. OpenID lets
us do the experiment.
-- ?!ng
More information about the security
mailing list