[development] OpenId open to phishing attacks.
Darren Oh
darrenoh at sidepotsinternational.com
Wed Nov 7 15:56:25 UTC 2007
My point is that a picture and phrase would provide a false sense of
security, since a phishing site could request it on the user's
behalf, display it, collect the user's input, and post it to the
OpenID server. By providing a false sense of security, the picture
could be worse than doing nothing. The only possible defense is for
the user to notice that the page has been decrypted. A simple warning
not to submit the form unless the secure icon is shown in the browser
would be the best security.
On Nov 7, 2007, at 10:41 AM, Walt Daniels wrote:
> I have no doubt that the hackers will find ways around almost
> anything we
> (or anybody else) does to prevent phishing. There is no possibility of
> overestimating the stupidity of our users in ignoring all the best
> that we
> can offer. My proposal is a simple to implement step in the right
> direction
> (supplemented by server side heavier duty security). It doesn't
> change the
> user behavior too much to be annoying. One can always make things more
> secure by introducing more and more complication.
More information about the development
mailing list