[development] OpenId open to phishing attacks.

[Walt Daniels]

I have no doubt that the hackers will find ways around almost anything we
(or anybody else) does to prevent phishing. There is no possibility of
overestimating the stupidity of our users in ignoring all the best that we
can offer. My proposal is a simple to implement step in the right direction
(supplemented by server side heavier duty security). It doesn't change the
user behavior too much to be annoying. One can always make things more
secure by introducing more and more complication. 

-----Original Message-----
From: development-bounces at drupal.org [mailto:development-bounces at drupal.org]
On Behalf Of Darren Oh
Sent: Wednesday, November 07, 2007 9:58 AM
To: development at drupal.org
Subject: Re: [development] OpenId open to phishing attacks.

That wouldn't do anything to prevent man-in-the-middle attacks. The concern
is that sites may intercept your password. However, a man-in- the-middle
attack would not be possible if the OpenID server uses SSL encryption. We
can provide security by ensuring that the OpenID server will not accept an
insecure connection.

On Nov 7, 2007, at 9:46 AM, Walt Daniels wrote:

> One thing that might help a little is to allow people to upload their 
> verification picture. Then separate the userid and password to 
> separate screens, or in the case of OpenID the proceed to the server 
> page, with a new page where you show them their verification picture 
> and the password box, or for OpenID a proceed button. Rather than 
> allowing them to upload a verification picture, they could select from 
> a large collection of supplied ones. One bank I use does approximately 
> this and has a picture and a phrase under it that I supplied.


--
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.503 / Virus Database: 269.15.24/1115 - Release Date: 11/7/2007
9:21 AM