[development] OpenId open to phishing attacks.

Walt Daniels wdlists at optonline.net
Wed Nov 7 14:46:45 UTC 2007

One thing that might help a little is to allow people to upload their
verification picture. Then separate the userid and password to separate
screens, or in the case of OpenID the proceed to the server page, with a new
page where you show them their verification picture and the password box, or
for OpenID a proceed button. Rather than allowing them to upload a
verification picture, they could select from a large collection of supplied
ones. One bank I use does approximately this and has a picture and a phrase
under it that I supplied.

-----Original Message-----
From: development-bounces at drupal.org [mailto:development-bounces at drupal.org]
On Behalf Of Augustin (Beginner)
Sent: Wednesday, November 07, 2007 8:10 AM
To: development at drupal.org
Subject: Re: [development] OpenId open to phishing attacks.

On Wednesday 07 November 2007 17:58, J-P Stacey wrote:
> Unless you're running your own OpenID *server* then this isn't an 
> issue. Looking at the module page I don't think that's in 5.x yet, let 
> alone core.

Thanks. I thought Drupal could act as a server....

Oh. I see what you mean.
http://drupal.org/project/openid says the server code is in 4.7.

Here are some references for those interested:

server module? (feature request)
Port 4.7-2.x to Drupal 5

PHP-based OpenID Server code


No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.503 / Virus Database: 269.15.23/1113 - Release Date: 11/6/2007
10:04 AM

More information about the development mailing list