[development] OpenId open to phishing attacks.

Darren Oh darrenoh at sidepotsinternational.com
Wed Nov 7 15:56:25 UTC 2007

My point is that a picture and phrase would provide a false sense of  
security, since a phishing site could request it on the user's  
behalf, display it, collect the user's input, and post it to the  
OpenID server. By providing a false sense of security, the picture  
could be worse than doing nothing. The only possible defense is for  
the user to notice that the page has been decrypted. A simple warning  
not to submit the form unless the secure icon is shown in the browser  
would be the best security.

On Nov 7, 2007, at 10:41 AM, Walt Daniels wrote:

> I have no doubt that the hackers will find ways around almost  
> anything we
> (or anybody else) does to prevent phishing. There is no possibility of
> overestimating the stupidity of our users in ignoring all the best  
> that we
> can offer. My proposal is a simple to implement step in the right  
> direction
> (supplemented by server side heavier duty security). It doesn't  
> change the
> user behavior too much to be annoying. One can always make things more
> secure by introducing more and more complication.

More information about the development mailing list