Comments on: A big problem with OpenID: phishing http://blog.blinker.net/2009/01/09/a-big-problem-with-openid-phishing/ Computer Science, Mathematics, Games Mon, 14 Jun 2010 17:39:26 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Andreas http://blog.blinker.net/2009/01/09/a-big-problem-with-openid-phishing/comment-page-1/#comment-234 Andreas Wed, 14 Jan 2009 08:55:26 +0000 http://blog.blinker.net/?p=20#comment-234 Displaying a login page on mvbank.com that looks like mybank.com, just like the phishing attack you'd expect on the OpenID provider. If you don't trust HTTPS, then maybe HTTPS should change or be replaced for something better. I don't see what OpenID can do here. However, there are some ideas to implement the OpenID provider into the browser. I am not sure how this will work out technically, but it sounds like a solution to your problem. Displaying a login page on mvbank.com that looks like mybank.com, just like the phishing attack you’d expect on the OpenID provider.

If you don’t trust HTTPS, then maybe HTTPS should change or be replaced for something better. I don’t see what OpenID can do here.

However, there are some ideas to implement the OpenID provider into the browser. I am not sure how this will work out technically, but it sounds like a solution to your problem.

]]> By: Björn http://blog.blinker.net/2009/01/09/a-big-problem-with-openid-phishing/comment-page-1/#comment-228 Björn Sun, 11 Jan 2009 22:22:49 +0000 http://blog.blinker.net/?p=20#comment-228 HTTPS: no it only verifies that it is the site it pretends to be. mvbank.com could have a valid certificate and still pretend to be mybank.com. Also, since https so often is implemented incorrectly, users are already trained to ignore the warnings. Furthermore, my impression is that many browsers are deployed with dodgy root certificates. What kind of phishing attacks for conventional login methods do you mean? HTTPS: no it only verifies that it is the site it pretends to be. mvbank.com could have a valid certificate and still pretend to be mybank.com. Also, since https so often is implemented incorrectly, users are already trained to ignore the warnings. Furthermore, my impression is that many browsers are deployed with dodgy root certificates.

What kind of phishing attacks for conventional login methods do you mean?

]]> By: Andreas http://blog.blinker.net/2009/01/09/a-big-problem-with-openid-phishing/comment-page-1/#comment-227 Andreas Sun, 11 Jan 2009 17:04:16 +0000 http://blog.blinker.net/?p=20#comment-227 What's the problem with HTTPS? It should do exactly what you want: Make sure that you're talking to the right guy. Besides: Conventional logins are all vulnerable to phishing, as we know. At least OpenID doesn't do anything worse. To take it further, it enables the use of phishing proof authentication methods (e.g. public/private key, chipcard) for all OpenID enabled sites. What’s the problem with HTTPS? It should do exactly what you want: Make sure that you’re talking to the right guy.

Besides: Conventional logins are all vulnerable to phishing, as we know. At least OpenID doesn’t do anything worse. To take it further, it enables the use of phishing proof authentication methods (e.g. public/private key, chipcard) for all OpenID enabled sites.

]]> By: Phil Jordan http://blog.blinker.net/2009/01/09/a-big-problem-with-openid-phishing/comment-page-1/#comment-224 Phil Jordan Fri, 09 Jan 2009 14:01:27 +0000 http://blog.blinker.net/?p=20#comment-224 Yes, I've noticed this too. However, like you said, it's less of an issue if you're already logged into your OpenID provider. I know it's not fully compliant, but the Google login makes this work: it just asks you if you want to log in to [blah] using your Google account. I'd start getting suspicious if it asked me for my user/pwd. Even if it did, my browser (Opera) would display the "magic wand" highlighting signifying that the browser already knows the credentials for that site. I'd be VERY worried if it didn't show that. I more strongly suspect that OpenID in its current form won't ever go mainstream, so we probably won't even see OpenID phishing attacks. Yes, I’ve noticed this too. However, like you said, it’s less of an issue if you’re already logged into your OpenID provider. I know it’s not fully compliant, but the Google login makes this work: it just asks you if you want to log in to [blah] using your Google account.

I’d start getting suspicious if it asked me for my user/pwd. Even if it did, my browser (Opera) would display the “magic wand” highlighting signifying that the browser already knows the credentials for that site. I’d be VERY worried if it didn’t show that.

I more strongly suspect that OpenID in its current form won’t ever go mainstream, so we probably won’t even see OpenID phishing attacks.

]]>