The question is how much of an actual additional phishing risk this
type of information leak is.
This is security through obscurity, and it cannot last. The longer
such a system is deployed, the more it will come to attention of evil
minds (that will focus on how to exploit it, and have ever more time
to figure out a way), and the more entrenched it will become in the
minds of users and the implementations of developers, so that the
former are reluctant to abandon it and the latter *cannot* abandon it
without a great deal of difficulty in redoing their existing work.
The browsers have accidentally conducted
an experiment for us. The result so far appears to indicate that this
information provides little additional benefit to phishers as they
haven't used it
. . . yet!
In security, "Well no-one has done anything *so far* . . . " does not
make a system secure. Attackers, especially of the hacker mindset,
will *by nature* disobey the rules we assume everyone is following,
and think of how they can make the system do something we never
planned into it.
In this case the attack is well-documented, and even widely accepted
- developers (such as yourself) think mainly of the *convenience*
that can be achieved if they exploit the (browser) vulnerability
themselves instead of fixing it, so you've already conditioned
yourself to think nothing of this even if you *did* see it in the
wild. All an attacker (phisher) has to do is pretend they have a
legitimate intent, just like you.
for known successful attacks. Additional data most
welcomed.
If they *were* using it, *would* the connection become known?
The desire to show off (and became known for having figured out a
particular trick) fades rapidly when the trick has *already* been
discovered (by white-hat researchers) and implementations exist, too;
at that point, the usefulness of *keeping an attack secret* (so that
noone actively devises defenses against it) is far more compelling.
-Shade
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
