[development] OpenId open to phishing attacks.

J-P Stacey jp.stacey at torchbox.com
Wed Nov 7 09:58:37 UTC 2007


Augustin (Beginner) wrote:
> However, it seems to me that the OpenId protocol seems to make 
> phishing easier. 

In a sense it does, because as Derek says it can open up vectors by 
generally encouraging bad, phishable behaviour on the part of web users. But 
OpenID was never intended to solve the problem of reciprocal 
user--site-owner trust; instead, it's meant solely to centralize authentication.

	"This is not a trust system. Trust requires identity first."
	http://simonwillison.net/2007/Jan/10/account/

Most of the halfway-viable solutions on Simon's blog seem to point to the 
OpenID *providers* changing the way they process inbound requests e.g. 
require people to input extra URLs etc. when they land on the provider page. 
It's largely out of the hands of the e.g. Drupal sites that direct people to 
OpenID providers.

Unless you're running your own OpenID *server* then this isn't an issue. 
Looking at the module page I don't think that's in 5.x yet, let alone core. 
In that case, if your Drupal site merely consumes OpenID - that is, it lets 
other people log in with OpenId - then I think the only way to expose your 
incoming users to phishing is for *you* to be the phisher!

J-P
-- 
J-P Stacey
+44 (0)1608 811870
http://torchbox.com


More information about the development mailing list