Comments on: OpenID: Phishing Heaven

By: A smart browser that knows who you are | Rebecca Cottrell

A smart browser that knows who you are | Rebecca Cottrell — Sun, 19 Dec 2010 19:39:34 +0000

[...] redirects — an undelightful part of the OpenID experience — are also a phishing risk. Ben Laurie explains how OpenID is a phishing heaven with a kitten site [...]

By: BravoZulu

BravoZulu — Thu, 01 Oct 2009 23:56:20 +0000

If you implement something like a Yubikey (from Yuico) or PhoneFactor.com (which is FREE), then you cut the risk of phishing and man-in-the-middle significantly. You should have the PAPE and AQE OpenID extensions installed too so that Yadis can detect and inform the RP of their presence. This gives the RP some comfort in knowing that certain security policies are in-place.

By: Mahender Didwania

Mahender Didwania — Fri, 30 Jan 2009 01:00:10 +0000

ah, and I forgot to add that the 3rd method, mentioned by someone earlier and adapted here, could be to send the message with the token to your registered jabber ID, to which you reply with the same token…

so, one or more of 3 methods should make it reasonably resilient (assuming the email may not get delivered instantly for example, if email servers are under attack or in general are under load…)

client certs may be an option, but not for the average casual user on the internet, who is only too familiar with email and IM (so can adapt to jabber, because I would hate proprietary protocols of Yahoo/MSN/others in OpenID) but is not familiar with client certificates (for this reason, I did not insist on use of public-private keys either, just made it optional)

By: Mahender Didwania

Mahender Didwania — Fri, 30 Jan 2009 00:49:39 +0000

A few ways to make OpenID more secure:

The OpenID standard must make sure that the providers support atleast one of the two methods below (to mitigate a costly set up, so a home user can also become an OpenID provider):

a) authentication via text message to your registered mobile phone. The text message should be a token generated using a hash of your public SSH key (which you uploaded at time of registration) or a security key (not necessarily SSH key) generated for you by the server at the time of registration. You must reply to that message with the earlier message contents (the token sent to you) and you will be authenticated. The web-page which was redirected to by the consumer would already have just given a message that you were not logged in (in case you were not) and a link to retry which would just invoke the same redirect (or an auto refresh of the same page); if logged in, it redirects back to consumer website

b) authentication using email. Same as above except that instead of a text message you receive an email at your registered address with the token in subject header and you just reply to that, keeping the token intact. If the provider is paranoid, they may ask you add, at end of subject line, or in email body (option) two random letters (which letters are required would be mentioned in the body of the email) from your atleast 10 letter password – the usual caveats of a strong password must be applied by the provider at time of registration – after all, it is going to be one of the very few passwords you will need because of OpenID.

If you, as a user, have neither a mobile phone nor an email account, you cannot use OpenID (unless there is a similar secure option, I do not like the static IP address option because it is limiting in my being able to use my OpenID from anywhere on internet)

Even if Open ID becomes secure due to proper authentication mechanism (use of only one of the explicitly methods must be allowed, and form based authentication as well as the need to enter the password must not be one of those methods), I dislike the idea that my OpenID roams freely on the internet – this can be prevented by making it mandatory in OpenID standard that all consumers send a one way secure hash (SHA/MD5 etc., the hash algorithm options should be explicitly stated in the OpenID standard) of the OpenID, not the OpenID itself. I know a non-legitimate consumer website will still be able to capture your OpenID (I do not want to give the user a cryptic one way hash string generated from their chosen login ID, at time of registration, to use as login ID at consumer websites in future)

By: New York Times seriously confused about identity management « Random Oracle

New York Times seriously confused about identity management « Random Oracle — Tue, 12 Aug 2008 09:25:37 +0000

[...] has been sent there by the “someone else’s Web site” in question leads to the standard critique of OpenID as increasing phishing [...]

By: Passpack Security Just As Strong With OpenID « Passpack Blog

Passpack Security Just As Strong With OpenID « Passpack Blog — Tue, 05 Aug 2008 15:04:50 +0000

[...] level it’s being closely scrutinized. Issues range from traditional phishing attacks to those targeted more towards the OpenID users. (Here is an excellent demo of how a man-in-the-middle attack can phish your OpenID [...]

By: Links » Using OpenID Responsibly

Links » Using OpenID Responsibly — Fri, 20 Jun 2008 11:46:39 +0000

[...] guy called Thomas asks the very reasonable question (where “this problem” is the OpenID phishing problem): Too much of all of this discussion around OpenID focuses around whether or not it’s OpenID’s [...]

By: thomas.apestaart.org » OpenID: yes or no?

thomas.apestaart.org » OpenID: yes or no? — Thu, 19 Jun 2008 22:06:36 +0000

[...] is that I do not know whether the basic model is secure or not. I’ve read lots of pro and con posts, and it’s gone so technical I don’t know who to [...]

By: Web Worker Daily » Archive OpenID: A Contrarian View «

Web Worker Daily » Archive OpenID: A Contrarian View « — Wed, 21 May 2008 18:00:37 +0000

[...] don’t trust it: This has been discussed extensively elsewhere, and there’s been more heat than light thrown on the issues. But my own personal [...]

By: Paul Crowley

Paul Crowley — Fri, 15 Feb 2008 15:40:17 +0000