Non-recoverable auth failure?
Jean-Luc Delatre
jld at club-internet.fr
Fri Jun 24 10:35:39 PDT 2005
Evan Martin wrote:
>On 6/24/05, Brad Fitzpatrick <brad at danga.com> wrote:
>
>
>>Yes, phishing will still happen, but let's not encourage it.
>>
>>
>
>One plausible attack is this: if I discover some place where HTML
>isn't escaped in an LJ page, I can construct a URL to that page that
>contains the HTML to cover the page with an iframe on my evil site.
>>From the user's perspective, they're on an LJ page with a crazy URL so
>it looks ok.
>
>Ways to help avoid this:
>1) Include on the openid auth page the text: "Verify that the URL bar
>says livejournal.com/auth/openid.bml, if it's not you may be getting
>phished" or whatever it is.
>
>
Oh, yeah?
You didn't read this likely (it was on my previous post)
http://secunia.com/multiple_browsers_idn_spoofing_test/
And *do* click on their link as they appear below
Test Your System
Test Now - Left Click On This Link <--- it says "http://www.paypаl.com/"
It has been fixed on some browsers but not all users will be up ot date...
>2) Show the user some personal information that makes them more likely
>to trust the site, like userpics, etc. Unfortunately the phishers can
>just download the userpics. If the user has hidden any of their
>userinfo you can say something like "to prove this is really LJ, I'll
>mention that you were born in 1986, despite that being non-public
>info".
>
>
>
No chance either, it is getting complicated and users *don't* pay attention.
Therefore it should be assumed that it will happen, in which case it
should only damage *this* fooled user
not the consumer or even worse the server (by giving a way to disclose
some "secret")
JLD
More information about the yadis
mailing list