Comments on: Phishing and OpenID: Bookmarks to the Rescue?

By: Daniel Chien

Daniel Chien — Mon, 09 Jul 2007 06:08:53 +0000

I have a simple way to detect phishing website by checking the IP address of the phishing website. On the Internet, everyone has an IP address. You can not fake your IP address due to IP two-way routing. Phishing website must use an IP address and can not be same as legitimate financial institution IP address. By comparing the IP address, we can know this is a phishing website or not.

By: randomwalker

randomwalker — Thu, 03 May 2007 06:23:27 +0000

If I have to retry the transaction (comment posting or whatever) at the original site, then I’m simply not going to use it. Sorry.

Further, I might realize that I have to login only after I write my comment. There’s a chance that the data will be lost when I try to get back there. If this happens, the user will VERY QUICKLY learn not to use your service EVER AGAIN.

By: The Security Roundtable » Blog Archive » The Security Roundtable for February 2007 - OpenID

Thu, 15 Mar 2007 19:56:09 +0000

[...] Another idea (and MITM attack): http://usablesecurity.com/2007/01/20/phishing-and-openid/ [...]

By: Confluence: PlatformSecurity

Confluence: PlatformSecurity — Wed, 28 Feb 2007 22:22:15 +0000

OpenID…

OpenID This page has not been filled in yet. Notes from Sunil (email): And of course, UCAP can prevent it through it’s Defense is depth approach (Security Skin, EV SSL, Reputation Service, Stronger Username/password)…….

By: Richard M. Conlan

Richard M. Conlan — Wed, 28 Feb 2007 08:42:37 +0000

Some interesting blog entries on OpenID with comments on phishing and other issues:

ongoing

Should We Support OpenID?

By: Dubroy.com/blog » Warming up to OpenID

Dubroy.com/blog » Warming up to OpenID — Mon, 26 Feb 2007 18:20:35 +0000

[...] It’s not all rosy though. Many people have pointed out that the OpenID process is very susceptible to phishing attacks; but that’s a problem we’re going to have to solve somehow anyways, and I think the proposed solutions are pretty decent. Technorati Tags: authentication, openid, security, single sign on, usability [...]

By: Ping

Ping — Wed, 21 Feb 2007 04:45:02 +0000

If you always go directly to your OpenID provider to enter your password, then there’s no problem. The problem is the case where the relying party redirects you to your OpenID provider’s login form.

By: Mark Cross

Mark Cross — Tue, 13 Feb 2007 13:35:19 +0000

Dear Ping,

I don’t quite follow your walk through:

Go to my OpenID provider & “log in” with OpenID URL & Password.
Visit a site I’ve never seen before.
Enter my OpenID name and click “Log in”.
See the challenge page for my OpenID provider.
Return back to the newly added site.

If you were prompted for a password - something did go astray.

Yours puzzled,

Mark

By: Benlog » BeamAuth: Two-Factor Web Authentication with a Bookmark.

Benlog » BeamAuth: Two-Factor Web Authentication with a Bookmark. — Tue, 06 Feb 2007 19:47:48 +0000

[...] In recent days, Simon Willinson and then Ka-Ping Yee proposed having Alice use a bookmark to reach her OpenID server, rather than rely on the web site to redirect appropriately. This is interesting, and one of the OpenID implementors, JanRain, thinks so too. [...]

By: Kragen Sitaker

Kragen Sitaker — Mon, 29 Jan 2007 03:37:27 +0000

Looks like Simon went and implemented this as part of his idproxy service.

By: Andrew Cox

Andrew Cox — Tue, 23 Jan 2007 08:25:40 +0000

By: Don Park

Don Park — Mon, 22 Jan 2007 22:16:30 +0000

Ping, I like the way you think. Admitedly, this is one of the password-less ideas I had but it’s neat to find others thinking along the same line. Oh, I liked your Passpet idea also. :-)

By: Ping

Ping — Mon, 22 Jan 2007 06:25:01 +0000

I don’t think you’re misunderstanding it. The procedure I had in mind was to first use the bookmark to log in, and then retry the original transaction. With a little care in the UI, the provider might be able to make this less confusing.

By: Ping

Ping — Mon, 22 Jan 2007 06:23:32 +0000

Yes, you can embed the secret in the URL. Then you’re essentially using the URL like a capability. In general, this is a great idea, though it may take some catching up from software to properly treat URLs as capabilities (they need to be treated as secrets, and there’s the issue of logging in from a different computer than the one you normally use).

By: Ping

Ping — Mon, 22 Jan 2007 06:13:36 +0000

Providers could do that, if they wanted. But I don’t expect the personalized-image scheme to work, because it’s susceptible to a man-in-the-middle attack.

If I want to phish your password, I’ll go to the provider and attempt to log in as you. The provider will show me your image and title. Then I present that image and title to you when persuading you to give me your password.

By: David Hammond

David Hammond — Sun, 21 Jan 2007 23:34:40 +0000

OpenID providers could do something I’ve seen bank websites do: When you sign up for an account, it asks you to pick an image from a small collection they provide, and then to give a title to that image. Whenever you go to the page to type in your password, the image and title you selected should appear above the login form. Users are told to never type their password on a page unless they see that image and title. This is much easier than asking users to bookmark things, and it’s very safe.

By: Blog by Kveton » OpenID 2.0 and Phishing

Blog by Kveton » OpenID 2.0 and Phishing — Sun, 21 Jan 2007 21:51:47 +0000

[...] OpenID 2.0 and Phishing January 21st, 2007 | Category: OpenID, JanRain, Identity, Phishing There has been a bunch of discussion about OpenID 2.0 and how the latest draft does not address phishing at all. [...]

By: Alessandro "jekil" Tanasi blog

Alessandro "jekil" Tanasi blog — Sun, 21 Jan 2007 20:23:09 +0000

Week’s Links…

Social Engineering: A Means To Violate A Computer SystemAn Introduction to Information System Risk ManagementInvestigations Involving the Internet and Computer Networks List of frequently seen TCP and UDP ports and what they meanReview: Six Rootkit Det…

By: Rob Sayre’s Mozilla Blog » Blog Archive » Phishing and OpenID

Rob Sayre’s Mozilla Blog » Blog Archive » Phishing and OpenID — Sun, 21 Jan 2007 19:06:36 +0000

[...] Ka-Ping Yee: “OpenID, as currently used for single sign-on, facilitates phishing.“ [...]

By: Stuart Langridge

Stuart Langridge — Sun, 21 Jan 2007 16:42:40 +0000

Agreed that we’re better confused than phished, of course. However, we ought to strive to make things actually work, no?