Phishing attacks on OpenID
Paul Crowley
paul at ciphergoth.org
Wed Jun 1 18:45:50 PDT 2005
Xageroth Sekarius wrote:
> I do agree however this isn't something the least bit unique to OpenID
> and anything that would combat phishing could be used to combat this.
It isn't unique to OpenID, but what makes OpenID unusually vulnerable is
this (to me) interesting observation: sites you log in to are usually
sites you visit directly, not ones you follow links to.
I don't usually click on a link on another website that takes me to
LiveJournal and then find myself logging in - I decide to read my LJ,
and click on it from my bookmarks or type it in to the address bar.
This isn't a deliberate anti-phishing policy on my part; it's an
observation that you have a different relationship with sites that you
have passwords on than those you don't. And there are exceptions to
this observation too - for example, I might read an article somewhere
that links to a story on Slashdot, and that could suffer the same
problem. But even there, I won't necessarily choose to log in if
prompted to, while with the OpenID setup I almost certainly will unless
I'm trained not to.
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
More information about the yadis
mailing list