Phishing attacks on OpenID

Paul Crowley paul at ciphergoth.org
Wed Jun 1 18:45:50 PDT 2005


Xageroth Sekarius wrote:
> I do agree however this isn't something the least bit unique to OpenID
> and anything that would combat phishing could be used to combat this.

It isn't unique to OpenID, but what makes OpenID unusually vulnerable is 
this (to me) interesting observation: sites you log in to are usually 
sites you visit directly, not ones you follow links to.

I don't usually click on a link on another website that takes me to 
LiveJournal and then find myself logging in - I decide to read my LJ, 
and click on it from my bookmarks or type it in to the address bar. 
This isn't a deliberate anti-phishing policy on my part; it's an 
observation that you have a different relationship with sites that you 
have passwords on than those you don't.  And there are exceptions to 
this observation too - for example, I might read an article somewhere 
that links to a story on Slashdot, and that could suffer the same 
problem.  But even there, I won't necessarily choose to log in if 
prompted to, while with the OpenID setup I almost certainly will unless 
I'm trained not to.
-- 
   __
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/


More information about the yadis mailing list