[development] OpenId open to phishing attacks.

[Walt Daniels]

Ok, I see your point, and I need to talk to my bank. There is a slight
wrinkle on their part in that my userid is more like an additional password
that is unique across customers. It is associated with my account number but
never displayed anywhere so without a keylogger no one should be able to
find it. It is on an SSL page. It has the usual restrictions on length and
mixed character sets. 

-----Original Message-----
From: development-bounces at drupal.org [mailto:development-bounces at drupal.org]
On Behalf Of Darren Oh
Sent: Wednesday, November 07, 2007 10:56 AM
To: development at drupal.org
Subject: Re: [development] OpenId open to phishing attacks.

My point is that a picture and phrase would provide a false sense of
security, since a phishing site could request it on the user's behalf,
display it, collect the user's input, and post it to the OpenID server. By
providing a false sense of security, the picture could be worse than doing
nothing. The only possible defense is for the user to notice that the page
has been decrypted. A simple warning not to submit the form unless the
secure icon is shown in the browser would be the best security.

On Nov 7, 2007, at 10:41 AM, Walt Daniels wrote:

> I have no doubt that the hackers will find ways around almost anything 
> we (or anybody else) does to prevent phishing. There is no possibility 
> of overestimating the stupidity of our users in ignoring all the best 
> that we can offer. My proposal is a simple to implement step in the 
> right direction (supplemented by server side heavier duty security). 
> It doesn't change the user behavior too much to be annoying. One can 
> always make things more secure by introducing more and more 
> complication.


--
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.503 / Virus Database: 269.15.24/1115 - Release Date: 11/7/2007
9:21 AM