OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)
Simon Willison
simon at simonwillison.net
Fri Jan 19 14:45:08 UTC 2007
On 19 Jan 2007, at 14:19, Ben Laurie wrote:
> Still totally unhappy about the phishing issues, which I blogged
> about here:
>
> http://www.links.org/?p=187
I have a proposal which I think could greatly reduce the risk of
phishing: identity providers should /never/ display their login form
(or a link to the form) on a page that has been redirected to by an
OpenID consumer.
Instead, they should instruct the user to navigate to the login page
themselves. The login page should have a short, memorable URL and
users should be encouraged to bookmark it themselves when they sign
up for the provider. The OpenID "landing page" then becomes an
opportunity to help protect users against phishing rather than just
being a vector for the attack.
I've fleshed this out on my blog:
http://simonwillison.net/2007/Jan/19/phishing/
Does that sound workable?
Cheers,
Simon
More information about the specs
mailing list