Simon Willison’s Weblog

openid.yahoo.com. Yahoo!’s human readable guide to OpenID, complete with tour. It looks like they’re relying on the “sign-in seal” to protect against phishing.

# 17th January 2008, 2:35 pm / phishing, yahoo, openid, security, signinseal

Why Virtual Theft Should Matter to Real Life Tech Companies. Interesting trend: sites that profit from sales of virtual goods (such as Habbo Hotel) are seeing users use phishing attacks to steal those goods from each other.

# 18th November 2007, 11:21 am / phishing, virtualgoods, habbohotel, mmorpg, security

MyOpenID adds Information Card Support. First client SSL certificates, now Information Cards. MyOpenID is certainly taking browser-based phishing solutions seriously.

# 18th October 2007, 9:10 pm / myopenid, janrain, openid, phishing, security, informationcards

The password anti-pattern. What I don’t understand is why Google / Yahoo! / other webmail providers haven’t just deployed a simple OAuth-style API for accessing the address book. Sites have been scraping them for years anyway; surely it’s better to offer an official API than continue to see users hand out their passwords?

# 12th October 2007, 9:25 am / phishing, passwords, oauth, gmail, yahoo, google, jeremy-keith

Cronto. I saw a demo of this the other day—it’s a neat anti-phishing scheme that also protects against man in the middle attacks. It works using challenge/response: an image is shown which embeds a signed transaction code; the user then uses an application on their laptop or mobile phone to decode the image and enters the resulting code back in to the online application.

# 2nd October 2007, 1:14 am / phishing, cronto, security, maninthemiddle, signing, challengresponse, openid

Beginner’s guide to OpenID phishing (via) Excellent primer on the phishing problem, which concludes that phishing can only be solved by moving away from usernames and passwords entirely.

# 23rd March 2007, 9:22 pm / openid, phishing

What is OpenID Good For? Dare Obasanjo provides some smart responses to Tim Bray’s criticisms of OpenID, including a good angle on the phishing problem.

# 14th March 2007, 10:12 am / openid, dare-obasanjo, phishing

MySpace Allegedly Kills Computer Security Website. No need for the allegedly; it’s been confirmed. MySpace got GoDaddy.com to redirect DNS for seclists.org after a list of phished user accounts posted to the full disclosure mailing list list was archived there.

# 26th January 2007, 9:57 am / myspace, dns, godaddy, security, phishing

MyOpenID: New anti-phishing tools available. Includes SafeSignIn, which removes the login form from the landing page. You have to enable it in your preferences though.

# 24th January 2007, 3:02 pm / openid, phishing, myopenid, scott-kveton

Phishing and OpenID: Bookmarks to the Rescue? Ping extends my proposal to use bookmarks as the principle authentication mechanism, resulting in a system that is much easier for people to understand.

# 21st January 2007, 1:36 am / phishing, bookmarks, ka-ping-yee, openid

XMPP OpenID server. An OpenID provider that sends you a Jabber message when you try to log in, to help guard against phishing.

# 20th January 2007, 11:24 pm / xmpp, openid, phishing

Links to academic papers on phishing. Posted to the openid-general list by Mike Beltzner.

# 19th January 2007, 5:32 pm / academic, openid, phishing

Real-World Passwords. Random passwords phished from MySpace are surprisingly decent.

# 14th December 2006, 2:14 pm / bruce-schneier, passwords, myspace, security, phishing

Myspace.com Trojaned Navigation Menu. Replace the “Home” link with a link to a phishing page.

# 8th December 2006, 4:41 pm / myspace, phishing

Internet Explorer 7. It’s been announced, but the stated focus is security and anti-phishing. No news on improved CSS.

# 15th February 2005, 7:04 pm / ie, ie7, css, security, phishing