[development] OpenId open to phishing attacks.
J-P Stacey
jp.stacey at torchbox.com
Wed Nov 7 09:58:37 UTC 2007
Augustin (Beginner) wrote:
> However, it seems to me that the OpenId protocol seems to make
> phishing easier.
In a sense it does, because as Derek says it can open up vectors by
generally encouraging bad, phishable behaviour on the part of web users. But
OpenID was never intended to solve the problem of reciprocal
user--site-owner trust; instead, it's meant solely to centralize authentication.
"This is not a trust system. Trust requires identity first."
http://simonwillison.net/2007/Jan/10/account/
Most of the halfway-viable solutions on Simon's blog seem to point to the
OpenID *providers* changing the way they process inbound requests e.g.
require people to input extra URLs etc. when they land on the provider page.
It's largely out of the hands of the e.g. Drupal sites that direct people to
OpenID providers.
Unless you're running your own OpenID *server* then this isn't an issue.
Looking at the module page I don't think that's in 5.x yet, let alone core.
In that case, if your Drupal site merely consumes OpenID - that is, it lets
other people log in with OpenId - then I think the only way to expose your
incoming users to phishing is for *you* to be the phisher!
J-P
--
J-P Stacey
+44 (0)1608 811870
http://torchbox.com
More information about the development
mailing list