ifacethoughts

OpenID And Phishing

Phil Becker discusses increasing popularity of OpenID, and phishing. The concept behind OpenID is that your identity for various sites gets controlled through your OpenID provider which is just one site. Whenever you want to login into any of the services, you are redirected to your OpenID provider for entering your password. The disadvantage is that if the hackers get access to your OpenID password they can get access to your various accounts. The same single point of access that provides convenience becomes a single point of failure. One of the ways that this is done is to create a copy of the login page of your provider and fool you into typing your password.

Well, one of the solutions is to tell the provider to not ask for a password when redirected from other sites. What you do is whenever you start surfing, first log into your OpenID provider. Now you are not redirected to your provider for entering your password. MyOpenID.com has implemented this anti-phishing technique.

Phil is right in saying that other efforts, like external authentication, beat the whole purpose of making it simple for the user. Phishing is completely based on the fact that you are automatically redirected to the provider for the password. The best way to avoid this automated redirection, which is what SafeSignIn does. Some other solutions are too dependent on your machine or the browser.

The other solution that can be help is combination of a identity meta-system like Microsoft CardSpace and OpenID. However I believe even that is going to impose some restrictions on the user.

Just as a thought, is it possible that the service you are trying to use does not redirect to the provider site, but somewhere else, which you own? In other words, the service does not come to know about your OpenID provider, but about something else that you own, where you can control the redirection to your OpenID provider. Currently I can use my URL as my identity, but it is just delegation. What if my site interfaced with the OpenID provider on one end and the service on the other! It will not avoid phishing completely, but it will be tedious for the phishers to make duplicates of so many sites. Of course, this might have issues, but it is just a thought.

SafeSignIn is not an ideal solution, but the best in the current lot, in my opinion. It is not tedious to do, but it is not practical to assume that everybody will remember. It is one of the cases, where some manual intervention can make the automation much more secure.

Discussion [Participate or Link]

  1. Wordpress.com Enables OpenID on iface thoughts said:
    March 10th, 2007 at 11:32 pm

    [...] users to use their OpenIDs. But the ones who do not have one can claim the benefit. Of course, it is not perfect yet, but nothing is, unless everyone in the ecosystem starts contributing to or using it. [...]

Say your thought!

Who are you?

If you want to use HTML you can use these tags: <a>, <em>, <strong>, <abbr>, <code>, <blockquote>. Closing the tags will be appreciated as this site uses valid XHTML.

freshthoughts

contactme

Abhijit Nadgouda
iface Consulting
India
+91 9819820312
My bookmarks

badgesand...

  • 9rules icon
  • hacker emblem
  • Registered with Linux counter project

This is the weblog of Abhijit Nadgouda where he writes down his thoughts on software development and related topics. You are invited to subscribe to the feed to stay updated or check out more subscription options. Or you can choose to browse by one of the topics.