OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)
On 19 Jan 2007, at 14:19, Ben Laurie wrote: > Still totally unhappy about the phishing issues, which I blogged > about here: > > http://www.links.org/?p=187 I have a proposal which I think could greatly reduce the risk of phishing: identity providers should /never/ display their login form (or a link to the form) on a page that has been redirected to by an OpenID consumer. Instead, they should instruct the user to navigate to the login page themselves. The login page should have a short, memorable URL and users should be encouraged to bookmark it themselves when they sign up for the provider. The OpenID "landing page" then becomes an opportunity to help protect users against phishing rather than just being a vector for the attack. I've fleshed this out on my blog: http://simonwillison.net/2007/Jan/19/phishing/ Does that sound workable? Cheers, Simon ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] OpenID and phishing (was Announcing OpenID Authentication2.0 - Implementor's Draft 11)
On 19 Jan 2007, at 15:06, Scott Kveton wrote: > What if the OP cataloged where you just came from and then > presented the > screen that you mention? The user is asked to navigate via a > bookmark or > entering the URL in the location bar and then upon logging in is > presented > with a link back to the site they just came from. Then the user > can quickly > engage and the site can still kick of the SREG mojo instead of > having to go > _back_ to the site in question to re-initiate the login. That's actually what I had in mind - I should have made that more clear. When you arrive on the landing page a cookie is set to allow the site to track your half-complete authentication request; once you log in you get a link to continue with that authentication. I totally agree that the best thing about OpenID is that it lowers the barrier to engagement. My hope is that most users will be logged in to their OP most of the time, so they will actually very rarely see the landing page. Cheers, Simon ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs