Phishing attacks on OpenID
ken.horn at clara.co.uk
Thu Jun 2 09:44:04 PDT 2005
I think forcing users to type in the urls to the browser bar, will
decrease usability (and hence adoption) significantly -- auto-complete
will only help when on your own machine, when a bookmark could be used.
Phishing will probably only be an issue for big name sites, like
livejournal -- many will be small sites that are not worth attacking.
Are we expecting many people to want to leave comments at a disreputable
site, and not to be able to recognise their central id server? - it's
probably an edge case, but changing the core mechanism seems like a big
change to me. Also, most of the time, they will expect their id server
session to auto verify - asking for credentials again will (should)
More information about the yadis