Reverse cross-site scripting & OpenID
Chris Messina
chris.messina at gmail.com
Thu Nov 23 21:38:09 UTC 2006
This seems to be an interesting opportunity to discuss OpenID and its
implications, especially when normal "old skool" login forms are being
spoofed *on the actual domain* of the real login form:
http://news.com.com/2100-1002_3-6137844.html
While OpenID doesn't necessarily provide a solution for this, the
behavior of authenticating remotely at a trusted OpenID endpoint does,
in some ways, mitigate against this problem.
I think that if anyone is interested, this might be a really good
issue to discuss and highlight publicly; the broader opportunity to me
seems to be that phishing attacks are becoming more sophisticated and
harder to detect with the usual criteria -- and browsers are now being
tripped into the mess by not being specific enough in their form
autofill rules.
I believe it was Johannes who solicited the "evil minded ones" in
Aldo's podcast... well, we know have another example of what kind of
attacks to expect. What ideas can we offer OpenID implementors to
counter this kind of problem?
Chris
--
Chris Messina
Citizen Provocateur &
Open Source Ambassador-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412 225-1051
Skype: factoryjoe
This email is: [X] bloggable [ ] ask first [ ] private
More information about the user-experience
mailing list