Phishing attacks on OpenID
paul at ciphergoth.org
Thu Jun 2 07:06:10 PDT 2005
Xageroth Sekarius wrote:
> A) Not everyone uses bookmarks and those that do usually wouldn't
> bookmark something if they were requested to.
Apparently the people who don't use bookmarks just type stuff out in the
URL bar every time and rely on auto-complete, which is just as good.
> B) Bookmarks don't travel (at least, it's not standard that they
> travel) so offices, libraries, and borrowed machines will require the
> user to think "...ok wait.. how do I login when I don't have my
> bookmarks?" (this is similar to the issues involved with password
> managers where a convenience becomes a dependency).
Ditto - type it out in the URL bar.
> C) Implying that bookmarks are unquestionably reliable may have
> unforseen side effects both in how humans treat the technology and how
> the technology may evolve in the future.
I think it pushes the technology in the right direction - it gives the
user a way to bind a local name to a remote entity in a way that's under
> Bookmarks should be a definite suggestion, but not a requirement.
> Besides, making them a requirement could possibly limit it's expansion
> to devices which do not support bookmarks (as far as I'm aware, that's
> slim, but still, a consideration).
As I say, typing in the URL works too.
> Requiring the user to supply a verification seems to be a better
> answer to me. Clever developers can think of ways of putting the
> verification pre-password and post-password depending on how much they
> feel it might inconvience the user. In either case, it would be an
> easier to recognize visual queue for the user that something is wrong.
I don't see how this helps. It's no problem for the phisherman to fetch
this image at phishing time and displaying it in exactly the same way.
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the yadis