[development] OpenId open to phishing attacks.

Darren Oh darrenoh at sidepotsinternational.com
Wed Nov 7 14:57:58 UTC 2007

That wouldn't do anything to prevent man-in-the-middle attacks. The  
concern is that sites may intercept your password. However, a man-in- 
the-middle attack would not be possible if the OpenID server uses SSL  
encryption. We can provide security by ensuring that the OpenID  
server will not accept an insecure connection.

On Nov 7, 2007, at 9:46 AM, Walt Daniels wrote:

> One thing that might help a little is to allow people to upload their
> verification picture. Then separate the userid and password to  
> separate
> screens, or in the case of OpenID the proceed to the server page,  
> with a new
> page where you show them their verification picture and the  
> password box, or
> for OpenID a proceed button. Rather than allowing them to upload a
> verification picture, they could select from a large collection of  
> supplied
> ones. One bank I use does approximately this and has a picture and  
> a phrase
> under it that I supplied.

More information about the development mailing list