Interesting discussion on the MediaWiki list: impersonation
Martin Atkins
mart at degeneration.co.uk
Tue Nov 14 20:10:25 UTC 2006
Johannes Ernst wrote:
> http://mail.wikipedia.org/pipermail/wikitech-l/2006-November/039801.html
>
>> Software responds, "The username you chose is very similar to the
>> username of an existing user. In order to ensure that you are not
>> trying to impersonate someone else, an administrator will have to
>> approve your username manually.
>
> This is really interesting because it's a form of attack: user A on a
> site trying to trick another user into believing he is user B, not user
> A. (Just like a phishing attack, but for users, not sites).
>
> It appears to me that this type of attack would be particularly easy if
> the user handle being shown on an OpenID-enabled site was anything OTHER
> than the OpenID identifier (such as first/last name).
>
I started a page on the wiki about best practices for RPs but I didn't
really finish what I was writing so I forgot to mention it...
<http://openid.net/wiki/index.php/Relying_Party_Best_Practices>
The second section there shows how *I* think people should be
represented in a forum-like situation: give prominence to their "human
name", but have the identifier URL there ready for immediate
disambiguation if necessary.
Of course, in that example I show a "friendly-ized" version of the URL
with the protocol removed; perhaps a way to do that kind of URL
presentation unambiguously should be another best practice. (In
particular, what do we do about http and https URLs that are otherwise
the same? Yes, that old chestnut again.)
More information about the user-experience
mailing list