[security] Phishing and specs

[Marcin Jagodziński]

I'd like to summarize my proposal. We're thinking about various
methods of preventing phishing, many of them require installing some
special plug-in or other UA interaction. This is good, but we all
know, this solutions will never be a part of OpenID specs. And I think
that plugin makers / people involved in browser development will have
even more ideas, what can be done to prevent phishing "in browser".
There are different kind of UA and some of our ideas are relevant,
some are not for eg. mobile browsers.

The phishing problem has two parts:

1. Fake-OP is treated by user as his True-OP (and True-OP looks just
like Any Other Page)
2. Fake-OP is treated by browser as Any Other Page

This is basically the problem of OP identity, isn't it?

My idea is to require that OP will CLAIM "I'm OpenID OP". Then:

1. If it will claim that it is an OP, the browser/UA will in some way
(it could be similar to Andy Dale plugin behavior) warn user: "This is
OP page" and then will change display, so that this page will not look
like Any Other Page (and then checks if it's whitelisted etc, etc)

2. Fake OP can also not claim that it is OP. In this situation it will
be perceived as Any Other Page. But user knows, from previous logins,
that his True OP does not look like Any Other Page.

Andy Dale's plug in works in similar way, but it requires (as I
understand) manual OP-list creation. My approach doesn't require this
step (the less steps, the better). Dmitry Shechtman thinks that UA can
recognize that the form on a page is RP "enter your identifier" form.
Personally I don't agree: now we have just a few forms, since OpenID
is in early stages, but in 2010 the "fuzzy logic" used to recognize if
UA should react because this is OpenID login form, may be just too
fuzzy.

To summarize: UA should have some method to find out if page claims to
be OP. Then it may launch some checking, some "Identity Manager
Plugin" or react in other, platform specific, way.

regards,

Marcin