[Herts] OpenID: Phishing Heaven

[Steve Clark]

Ian Gregory wrote:
> I remember a couple of you mentioned OpenID on this list, and Steve
> has a climID page, which as I understand it is one of the places
> where you can get an OpenID.
> 
> Well I have just read an interesting blog entry by Ben Laurie in
> which he explains why the OpenID spec is the worst he has ever
> seen from a phishing point of view. Note that his next blog
> entry is a followup on the same subject.
> 
> OpenID: Phishing Heaven:
> http://www.links.org/?p=187

He dopes have a point in that it is possible for a site that uses OpenID
to redirect you to a fake log-in site. You have to be extra careful that
it's the right site.

One way to avoid this is to log in to your OpenID provider before
visiting other sites, then you should not have to enter your password
again. Ideally the log-in pages would be to make use of encrypted pages
with appropriate authentication. A lot relies on people being aware of
the dangers.

In any case I'm not using OpenID for anything critical. I doubt any
banks or other financial sites are using it anyway. For now it's a
convenient way to log in to sites where you don't want to have to set up
a whole new account.

For those who don't know what all this is about see:

http://en.wikipedia.org/wiki/Openid

I've been playing with ClaimID as a way to say what parts of the web are
about me. You can get similar information by doing a Google for
'steevc', but this site can verify a link to my email address via a
'MicroID' in the page header. All about me at:

http://claimid.com/steevc

Personally I would like to see some sort of identity verification based
around public key encryption, but I've not seen much about that so far.

-- 
Steve

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 324 bytes
Desc: OpenPGP digital signature
Url : http://mailman.lug.org.uk/pipermail/herts/attachments/20070124/2197d0f5/signature.bin