Augustin (Beginner) wrote:
However, it seems to me that the OpenId protocol seems to make phishing easier.
In a sense it does, because as Derek says it can open up vectors by generally encouraging bad, phishable behaviour on the part of web users. But OpenID was never intended to solve the problem of reciprocal user--site-owner trust; instead, it's meant solely to centralize authentication. "This is not a trust system. Trust requires identity first." http://simonwillison.net/2007/Jan/10/account/ Most of the halfway-viable solutions on Simon's blog seem to point to the OpenID *providers* changing the way they process inbound requests e.g. require people to input extra URLs etc. when they land on the provider page. It's largely out of the hands of the e.g. Drupal sites that direct people to OpenID providers. Unless you're running your own OpenID *server* then this isn't an issue. Looking at the module page I don't think that's in 5.x yet, let alone core. In that case, if your Drupal site merely consumes OpenID - that is, it lets other people log in with OpenId - then I think the only way to expose your incoming users to phishing is for *you* to be the phisher! J-P -- J-P Stacey +44 (0)1608 811870 http://torchbox.com