Phishing attacks on OpenID

Paul Crowley paul at
Wed Jun 1 19:17:29 PDT 2005

Jason Nelson wrote:
> The threat of phishing exists anywhere that passwords are exchanged.

I think I've explained why I think OpenID is an especial risk here.

> A better approach may be to train user's to check the URL carefully before
> entering their credentials. I don't think we shouldn't degrade the overall
> user experience for this reason.

Sadly this approach to preventing phishing, which never really worked - 
is pretty much dead now - IDN domain names mean that you can always 
generate a new domain name which looks identical to an existing one.

Done right, OpenID can do a lot to cut down on phishing attacks because 
you have to type in your password so much less, but there might be no 
good way to make those times maximally convenient.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list