Simon Willison’s Weblog

Items tagged security, openid in 2007

Filters: Year: 2007 × security × openid ×


MyOpenID adds Information Card Support. First client SSL certificates, now Information Cards. MyOpenID is certainly taking browser-based phishing solutions seriously. # 18th October 2007, 9:10 pm

Cronto. I saw a demo of this the other day—it’s a neat anti-phishing scheme that also protects against man in the middle attacks. It works using challenge/response: an image is shown which embeds a signed transaction code; the user then uses an application on their laptop or mobile phone to decode the image and enters the resulting code back in to the online application. # 2nd October 2007, 1:14 am

Designing for a security breach

User account breaches are inevitable. We should take that in to account when designing our applications.

[... 545 words]

VeriSign’s SeatBelt OpenID plugin for Firefox. The first good example of browser integration for OpenID. It catches phishing attempts by watching out for rogue OpenID consumers that don’t redirect to the right place. # 17th August 2007, 5:37 pm

Solving the OpenID phishing problem

Most of the arguments I hear against OpenID are based on mis-understandings of the specification, but there is one that can’t be ignored: OpenID is extremely vulnerable to phishing.

[... 531 words]