[security] [OpenID] Another Client-side Password Phishing Mitigation Idea
Marcin Jagodziński
marcin.jagodzinski at gmail.com
Sun Jan 21 22:58:38 UTC 2007
07-01-21, Dmitry Shechtman <damnian at gmail.com> napisał(a):
> You're blinded by that "phishing is imminent, we must change something in
> the protocol" panic. I didn't see a viable solution in that department, so I
> think we should concentrate our efforts on the client side.
I don't think I'm blinded. And I do agree, that we should concentrate
efforts on client side.
> > This kind of detection can be is very easily avoided in my opinion.
>
> Please read my comment carefully. The "fuzzy logic" part is only pertinent
> to combo fields. I don't know about the common user, but combo fields are a
> sacrifice I am willing to make.
<input type="text" name="opneid">
Just a typo in name, and Identity Manager isn't launched, am I wrong?
What about Flash and other login forms?
> Just to make things clear, I'm not implementing an identity manager plugin.
> I still believe it should be a core browser component, as it is the only
> solution to combine advanced security, *improved* usability (contrary to
> other suggestions we've seen) and CardSpace integration.
>
> I'd really love to hear what the FireFox/IE folks have to say about this.
>
I don't have anything against making Identity Manager core component.
But somehow I dont't perceive it as "the only solution".
regards
Marcin
PS. Posting only to security list.
More information about the security
mailing list