Items tagged openid, phishing
Filters: openid × phishing × Sorted by date
Windows Live Adds Support For OpenID. I hope they include the option to log in to the provider using CardSpace, to address phishing. # 27th October 2008, 9:34 pm
OpenID phishing demo (via) A demonstration of the OpenID man-in-the-middle phishing attack. idproxy.net OpenIDs are immune to this particular variant due to the landing page not asking for your password (the phishing site could still provide their own redesigned landing page and hope users don’t notice though). # 28th May 2008, 8:09 am
PayPal Plans to Ban Unsafe Browsers. At first I thought they were going to encourage real anti-phishing features in browsers, which would be a big win for OpenID... but it turns out they’re just requiring EV SSL certificates which have been proven not to actually work. # 19th April 2008, 10:45 am
openid.yahoo.com. Yahoo!’s human readable guide to OpenID, complete with tour. It looks like they’re relying on the “sign-in seal” to protect against phishing. # 17th January 2008, 2:35 pm
MyOpenID adds Information Card Support. First client SSL certificates, now Information Cards. MyOpenID is certainly taking browser-based phishing solutions seriously. # 18th October 2007, 9:10 pm
Cronto. I saw a demo of this the other day—it’s a neat anti-phishing scheme that also protects against man in the middle attacks. It works using challenge/response: an image is shown which embeds a signed transaction code; the user then uses an application on their laptop or mobile phone to decode the image and enters the resulting code back in to the online application. # 2nd October 2007, 1:14 am
Designing for a security breach
User account breaches are inevitable. We should take that in to account when designing our applications.
[... 545 words]Beginner’s guide to OpenID phishing (via) Excellent primer on the phishing problem, which concludes that phishing can only be solved by moving away from usernames and passwords entirely. # 23rd March 2007, 9:22 pm
What is OpenID Good For? Dare Obasanjo provides some smart responses to Tim Bray’s criticisms of OpenID, including a good angle on the phishing problem. # 14th March 2007, 10:12 am
idproxy.net: Use your Yahoo! account as an OpenID
In an ideal world, some or all of the sites with large user databases (Yahoo!, AOL, Google, Amazon and so on) would act as OpenID providers, allowing their users to sign in to OpenID supporting sites around the Web. Until that happens, people who want to use OpenID need to sign up for Yet Another Account to do so.
[... 414 words]MyOpenID: New anti-phishing tools available. Includes SafeSignIn, which removes the login form from the landing page. You have to enable it in your preferences though. # 24th January 2007, 3:02 pm
We have a unique opportunity with phishing and OpenID. OpenID can make the possibility for bad things to happen from phishing that much worse. However, having an OpenID means you create a more intimate relationship with your OpenID provider. You go there everyday. You will more likely know when something is wrong.
— Scott Kveton # 24th January 2007, 3:02 pm
Phishing and OpenID: Bookmarks to the Rescue? Ping extends my proposal to use bookmarks as the principle authentication mechanism, resulting in a system that is much easier for people to understand. # 21st January 2007, 1:36 am
XMPP OpenID server. An OpenID provider that sends you a Jabber message when you try to log in, to help guard against phishing. # 20th January 2007, 11:24 pm
I can also sum things up for you even more succinctly:
—users are task oriented, driving to complete the goal the
quickest way possible
—users pay more attention to the content area than the browser chrome
—users don’t understand how easy it is to spoof a website
— Mike Beltzner # 19th January 2007, 5:33 pm
Links to academic papers on phishing. Posted to the openid-general list by Mike Beltzner. # 19th January 2007, 5:32 pm
Solving the OpenID phishing problem
Most of the arguments I hear against OpenID are based on mis-understandings of the specification, but there is one that can’t be ignored: OpenID is extremely vulnerable to phishing.
[... 531 words]