[Herts] OpenID: Phishing Heaven

Steve Clark steve at bagofspoons.net
Tue Jan 30 09:53:27 GMT 2007

Steve Clark wrote:
> Ian Gregory wrote:
>> I remember a couple of you mentioned OpenID on this list, and Steve
>> has a climID page, which as I understand it is one of the places
>> where you can get an OpenID.
>> Well I have just read an interesting blog entry by Ben Laurie in
>> which he explains why the OpenID spec is the worst he has ever
>> seen from a phishing point of view. Note that his next blog
>> entry is a followup on the same subject.
>> OpenID: Phishing Heaven:
>> http://www.links.org/?p=187
> He dopes have a point in that it is possible for a site that uses OpenID
> to redirect you to a fake log-in site. You have to be extra careful that
> it's the right site.

I've just seen another OpenID site that uses some techniques to minimise
the phishing risk.

http://idproxy.net/ uses your Yahoo log-in as your identifier (if you
have one). When you use your OpenID on a site the log-in screen will
display your name and a unique 'monster' image that the source site
should not be able to fake.

The author works for Yahoo, but seems to be providing this service
separately. His blog http://simonwillison.net/ has some interesting
writings on the OpenID field. He recommends that you try to avoid
logging into your account via a redirection. I guess that applies in
general, especially to things like banking sites.

If anyone hasn't signed the software patents petition you have 3 weeks
left. It's up to 1749 people now



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 324 bytes
Desc: OpenPGP digital signature
Url : http://mailman.lug.org.uk/pipermail/herts/attachments/20070130/acba8ec0/signature.bin

More information about the Herts mailing list