incubator-heraldry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Willison <si...@simonwillison.net>
Subject OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)
Date Fri, 19 Jan 2007 14:45:08 GMT

On 19 Jan 2007, at 14:19, Ben Laurie wrote:

> Still totally unhappy about the phishing issues, which I blogged  
> about here:
>
> http://www.links.org/?p=187

I have a proposal which I think could greatly reduce the risk of  
phishing: identity providers should /never/ display their login form  
(or a link to the form) on a page that has been redirected to by an  
OpenID consumer.

Instead, they should instruct the user to navigate to the login page  
themselves. The login page should have a short, memorable URL and  
users should be encouraged to bookmark it themselves when they sign  
up for the provider. The OpenID "landing page" then becomes an  
opportunity to help protect users against phishing rather than just  
being a vector for the attack.

I've fleshed this out on my blog:

http://simonwillison.net/2007/Jan/19/phishing/

Does that sound workable?

Cheers,

Simon

Mime
View raw message