Phishing attacks on OpenID

Ken Horn ken.horn at
Thu Jun 2 09:44:04 PDT 2005

I think forcing users to type in the urls to the browser bar, will 
decrease usability (and hence adoption) significantly -- auto-complete 
will only help when on your own machine, when a bookmark could be used. 
Phishing will probably only be an issue for big name sites, like 
livejournal -- many will be small sites that are not worth attacking. 
Are we expecting many people to want to leave comments at a disreputable 
site, and not to be able to recognise their central id server? - it's 
probably an edge case, but changing the core mechanism seems like a big 
change to me. Also, most of the time, they will expect their id server 
session to auto verify - asking for credentials again will (should) 
raise suspicion.

More information about the yadis mailing list