Phishing attacks on OpenID

Xageroth Sekarius xageroth at
Wed Jun 1 21:11:00 PDT 2005

> The only fix I can see is to back out of the whole idea of seamlessly
> logging in to the identity server if it doesn't already know who you
> are, and to replace that page with one that does not provide a login
> box, but that prompts you to look the site up in your bookmarks and log
> in that way, and warns you that that is always how you must log in and
> anything that says otherwise is a phishing attempt.  That's a little
> incovenient but I can't see a better strategy.

I was thinking about this and why it's not a satisfactory solution:

A) Not everyone uses bookmarks and those that do usually wouldn't
bookmark something if they were requested to.

B) Bookmarks don't travel (at least, it's not standard that they
travel) so offices, libraries, and borrowed machines will require the
user to think "...ok wait.. how do I login when I don't have my
bookmarks?" (this is similar to the issues involved with password
managers where a convenience becomes a dependency).

C) Implying that bookmarks are unquestionably reliable may have
unforseen side effects both in how humans treat the technology and how
the technology may evolve in the future.

Bookmarks should be a definite suggestion, but not a requirement.
Besides, making them a requirement could possibly limit it's expansion
to devices which do not support bookmarks (as far as I'm aware, that's
slim, but still, a consideration).

Requiring the user to supply a verification seems to be a better
answer to me. Clever developers can think of ways of putting the
verification pre-password and post-password depending on how much they
feel it might inconvience the user. In either case, it would be an
easier to recognize visual queue for the user that something is wrong.

Not saying it's the answer, just adding it to the options.

Bookmarks, user-supplied verifications. Anything else that doesn't
require a plugin?

More information about the yadis mailing list