Phishing attacks on OpenID
paul at ciphergoth.org
Wed Jun 1 19:17:29 PDT 2005
Jason Nelson wrote:
> The threat of phishing exists anywhere that passwords are exchanged.
I think I've explained why I think OpenID is an especial risk here.
> A better approach may be to train user's to check the URL carefully before
> entering their credentials. I don't think we shouldn't degrade the overall
> user experience for this reason.
Sadly this approach to preventing phishing, which never really worked -
is pretty much dead now - IDN domain names mean that you can always
generate a new domain name which looks identical to an existing one.
Done right, OpenID can do a lot to cut down on phishing attacks because
you have to type in your password so much less, but there might be no
good way to make those times maximally convenient.
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the yadis