[security] Making phishing hard without changing UA side protocol

Ka-Ping Yee openid at zesty.ca
Mon Jan 22 19:56:32 UTC 2007 

I believe we have a consensus of at least four of us on this mailing
list that the specification should recommend that OPs refuse to show
a login page in response to an authentication request.

In <http://openid.net/pipermail/security/2007-January/000217.html>
Hans Granqvist wrote:
> Just some quick thinking how phishing for passwords can
> be diminished without severely changing the protocol or
> enforcing UA plugins, etc.
[...]
> 2. The OP refuses to do a login at the same time
>     as an authentication. The user must be logged in
>     beforehand.

In <http://openid.net/pipermail/security/2007-January/000220.html>
thayes0993 at aol.com wrote:
> I believe that option #2 is the correct one to recommend at this time.
> While this is clearly outside of the openID protocol itself, remaining
> silent on the potential phishing attacks is not going to help promote
> openID in the long term.
>
>  Unless other mechanism are in place to prevent phishing (see below)
> the OP must:
>
>  1) suggest that users login to the Open ID provider prior to accessing
> any Open ID-enable site.
>  2) refuse to display a login page in response to an authentication
> request. Instead, the OP must direct the user to navigate to the OP
> on their own, by using a bookmark or typing in the URL directly.
>
>  Can we agree that this level of recommendation should be included
> in the protocol spec?

In <http://openid.net/pipermail/general/2007-January/001299.html>
Ka-Ping Yee wrote:
> it is probably a good idea to legislate or strongly
> recommend *against* the specific practice we know to be dangerous --
> redirecting from a validation request straight to a username/password
> login form -- and this practice should not be used in examples.

In <http://openid.net/pipermail/general/2007-January/001304.html>
Mike Beltzner wrote:
> > it is probably a good idea to legislate or strongly
> > recommend *against* the specific practice we know to be dangerous --
> > redirecting from a validation request straight to a username/password
> > login form -- and this practice should not be used in examples.
> >
> > Can we agree on that?
>
> Yup.


-- ?!ng

More information about the security mailing list