«
»

A big problem with OpenID: phishing

Hopefully I won’t embarrass myself too much with this post, because I haven’t really researched the ins and outs of OpenID. From using it a couple of times I got the impression that the concept has a big flaw, though.

Usually what happens when I try to sign up to a site with OpenID is that the site forwards me to my OpenID provider. Then I have to login to that OpenID provider’s site and confirm to the OpenID provider that I want to login to the original site.

And that is the problem right there: some random site of the internet forwards me to my OpenID provider, where I proceed to enter my login credentials. That is a classic phishing scenario.

How can I be sure that the site I am being forwarded to is really the site of my OpenID provider? Phishers are experts at mimicking other sites. They could forward me to another site that looks almost the same as the site of my OpenID provider. Often this is done by slightly misspelling the name of the site, in some cases the name even looks the same because there are different letters in other languages that look the same, so it is impossible to spot the difference.

There are some mechanisms that try to prevent site spooking, such as HTTPS, but I think the reality is that none of them really are good enough. The only way to make sure you are on the site you want to be is to type in it’s url by hand, without making any spelling mistakes (even then it is probably not 100% sure, because the domain name resolution system could also be tampered with – but that is another topic altogether, and I don’t know much about it). For the same reason one shouldn’t click on links in emails, for example if you get a link by (supposedly) ebay to check your auction, that email could be from a fake ebay linking to a spooked ebay that will phish your ebay login.

But I don’t want to educate about phishing, there is enough information about it on the internet already. I just wanted to raise my concerns about this problem with OpenID.

Many might feel that the problem is not really severe, or maybe it is just a problem of the particular implementations of OpenID that I have used. My own feeling is that as web developers we have a responsibility to not encourage dangerous behaviour on the side of our users, therefore OpenID in it’s current form has lost a lot of appeal to me.

One possible way to deal with the problem would be to always stay logged in to one’s OpenID provider and never log in when being forwarded to it. Hopefully if you are already logged in, you don’t need to login when being forwarded, you only have to confirm the authentication request of the original site.

Please leave comments and correct me if I am wrong. Thanks!

Tags: ,

This entry was posted on Friday, January 9th, 2009 at 2:16 pm and is filed under Computer Science. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

4 Responses to “A big problem with OpenID: phishing”

  1. Phil Jordan Says:
    January 9th, 2009 at 4:01 pm

    Yes, I’ve noticed this too. However, like you said, it’s less of an issue if you’re already logged into your OpenID provider. I know it’s not fully compliant, but the Google login makes this work: it just asks you if you want to log in to [blah] using your Google account.

    I’d start getting suspicious if it asked me for my user/pwd. Even if it did, my browser (Opera) would display the “magic wand” highlighting signifying that the browser already knows the credentials for that site. I’d be VERY worried if it didn’t show that.

    I more strongly suspect that OpenID in its current form won’t ever go mainstream, so we probably won’t even see OpenID phishing attacks.

  2. Andreas Says:
    January 11th, 2009 at 7:04 pm

    What’s the problem with HTTPS? It should do exactly what you want: Make sure that you’re talking to the right guy.

    Besides: Conventional logins are all vulnerable to phishing, as we know. At least OpenID doesn’t do anything worse. To take it further, it enables the use of phishing proof authentication methods (e.g. public/private key, chipcard) for all OpenID enabled sites.

  3. Björn Says:
    January 12th, 2009 at 12:22 am

    HTTPS: no it only verifies that it is the site it pretends to be. mvbank.com could have a valid certificate and still pretend to be mybank.com. Also, since https so often is implemented incorrectly, users are already trained to ignore the warnings. Furthermore, my impression is that many browsers are deployed with dodgy root certificates.

    What kind of phishing attacks for conventional login methods do you mean?

  4. Andreas Says:
    January 14th, 2009 at 10:55 am

    Displaying a login page on mvbank.com that looks like mybank.com, just like the phishing attack you’d expect on the OpenID provider.

    If you don’t trust HTTPS, then maybe HTTPS should change or be replaced for something better. I don’t see what OpenID can do here.

    However, there are some ideas to implement the OpenID provider into the browser. I am not sure how this will work out technically, but it sounds like a solution to your problem.