Phishing attacks on OpenID

Paul Crowley paul at
Thu Jun 2 07:06:10 PDT 2005

Xageroth Sekarius wrote:
> A) Not everyone uses bookmarks and those that do usually wouldn't
> bookmark something if they were requested to.

Apparently the people who don't use bookmarks just type stuff out in the 
URL bar every time and rely on auto-complete, which is just as good.

> B) Bookmarks don't travel (at least, it's not standard that they
> travel) so offices, libraries, and borrowed machines will require the
> user to think "...ok wait.. how do I login when I don't have my
> bookmarks?" (this is similar to the issues involved with password
> managers where a convenience becomes a dependency).

Ditto - type it out in the URL bar.

> C) Implying that bookmarks are unquestionably reliable may have
> unforseen side effects both in how humans treat the technology and how
> the technology may evolve in the future.

I think it pushes the technology in the right direction - it gives the 
user a way to bind a local name to a remote entity in a way that's under 
their control.

> Bookmarks should be a definite suggestion, but not a requirement.
> Besides, making them a requirement could possibly limit it's expansion
> to devices which do not support bookmarks (as far as I'm aware, that's
> slim, but still, a consideration).

As I say, typing in the URL works too.

> Requiring the user to supply a verification seems to be a better
> answer to me. Clever developers can think of ways of putting the
> verification pre-password and post-password depending on how much they
> feel it might inconvience the user. In either case, it would be an
> easier to recognize visual queue for the user that something is wrong.

I don't see how this helps.  It's no problem for the phisherman to fetch 
this image at phishing time and displaying it in exactly the same way.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list