I have no doubt that the hackers will find ways around almost anything we (or anybody else) does to prevent phishing. There is no possibility of overestimating the stupidity of our users in ignoring all the best that we can offer. My proposal is a simple to implement step in the right direction (supplemented by server side heavier duty security). It doesn't change the user behavior too much to be annoying. One can always make things more secure by introducing more and more complication. -----Original Message----- From: development-bounces@drupal.org [mailto:development-bounces@drupal.org] On Behalf Of Darren Oh Sent: Wednesday, November 07, 2007 9:58 AM To: development@drupal.org Subject: Re: [development] OpenId open to phishing attacks. That wouldn't do anything to prevent man-in-the-middle attacks. The concern is that sites may intercept your password. However, a man-in- the-middle attack would not be possible if the OpenID server uses SSL encryption. We can provide security by ensuring that the OpenID server will not accept an insecure connection. On Nov 7, 2007, at 9:46 AM, Walt Daniels wrote:
One thing that might help a little is to allow people to upload their verification picture. Then separate the userid and password to separate screens, or in the case of OpenID the proceed to the server page, with a new page where you show them their verification picture and the password box, or for OpenID a proceed button. Rather than allowing them to upload a verification picture, they could select from a large collection of supplied ones. One bank I use does approximately this and has a picture and a phrase under it that I supplied.
-- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.15.24/1115 - Release Date: 11/7/2007 9:21 AM