Comments on: OpenID and Phishing: Episode II

By: The problem(s) with OpenID « The Identity Corner

The problem(s) with OpenID « The Identity Corner — Mon, 11 Feb 2008 00:31:58 +0000

[...] spoofing and ID theft – we need severe crypto, locked down, secure ID systems.” Ben Laurie elaborates as follows: “The OpenID fanboys want OpenID to work on any old platform using only standard software, [...]

By: links for 2007-10-30 « Spartakan

links for 2007-10-30 « Spartakan — Tue, 30 Oct 2007 04:26:50 +0000

[...] Links » OpenID and Phishing Ben Laurie’s criticisms of openIDs security model, and responses dealt with (tags: identity security blog 2007) [...]

By: OpenID sucks. « Outside the Bubble…

OpenID sucks. « Outside the Bubble… — Fri, 19 Oct 2007 19:15:31 +0000

[...] OpenID and Phishing: Episode 2 [...]

By: The Identity Corner » The problem(s) with OpenID

The Identity Corner » The problem(s) with OpenID — Wed, 22 Aug 2007 22:30:20 +0000

[...] In sum, OpenID adds up to little more than simple password management with extra overhead and lots of security problems. As Marc Canter stresses: “if we’re to stop phishing, and spoofing and ID theft – we need severe crypto, locked down, secure ID systems.” Ben Laurie elaborates as follows: “The OpenID fanboys want OpenID to work on any old platform using only standard software, and so therefore are doomed to live in the world of broken authentication. This is fine if what you protect with your OpenID is worthless, but it seems clear that these types of protocol are going to be used to authenticate for things of value. […] This is the root of the problem: if you want to protect anything of value, you have to do better than existing Web solutions. You need better client-side software. […] the best general way to handle this problem is through zero-knowledge proofs.” (Note: this is exactly what Credentica’s technology does.) [...]

By: Michael Barrett

Michael Barrett — Fri, 02 Mar 2007 17:30:33 +0000

I am more or less convinced – and admittedly I am highly biased – that OpenID is unlikely to get into serious usage for anything commercially sensitive. There are already a slew of protocols (SAML 2.0 / Liberty ID-FF, WS-*, Cardspace, Higgins, Shib, blah) that deal with most of the issues much more robustly.

If the trust issues that you raise here are not addressed by OpenID, then it seems most unlikely that it will achieve significant “real world” deployment.

By: Kim Cameron’s Identity Weblog » Can browser-based plugins solve the phishing problem?

Mon, 12 Feb 2007 05:31:00 +0000

[...] Dready’s right about the research. But rather than calling it a “social problem” I’d call it a “social engineering attack”. Further, there is a protocol problem. The protocol is based on telling the RP where the OP is located - such that an evil site can automate a “man in the middle attack”. Some other protocols, including the one used by CardSpace, do NOT have this problem. That’s why combining CardSpace and OpenID is useful. Numerous ideas to mitigate phishing attacks have been floating around the OpenID list and on the OpenID mini-blogsphere. Ben Laurie argues for a client-side solution: Authentication on the web is broken, and has been for a long time. The OpenID fanboys want OpenID to work on any old platform using only standard software, and so therefore are doomed to live in the world of broken authentication. This is fine if what you protect with your OpenID is worthless, but it seems clear that these types of protocol are going to be used to authenticate for things of value. [...]

By: dready blog v2.0 » Blog Archive » Browser-based mitigation of phishing attacks

Sun, 21 Jan 2007 17:59:08 +0000

[...] Numerous ideas to mitigate phishing attacks have been floating around the OpenID list and on the OpenID mini-blogsphere. Ben Laurie argues for a client-side solution: Authentication on the web is broken, and has been for a long time. The OpenID fanboys want OpenID to work on any old platform using only standard software, and so therefore are doomed to live in the world of broken authentication. This is fine if what you protect with your OpenID is worthless, but it seems clear that these types of protocol are going to be used to authenticate for things of value. [...]

By: Krishna

Krishna — Sun, 21 Jan 2007 12:54:28 +0000

How does adding zero-knowledge proofs to the spec address the phishing problem?

By: Kim Cameron’s Identity Weblog » Ben Laurie explains the “Kittens” phishing attack.

Sun, 21 Jan 2007 02:12:29 +0000

[...] Like me, Ben was struck with how readily the system currently lends itself to automation of phishing attacks. His second post on the subject is interesting. [...]

By: identity 2.0 / Phishing w OpenID

identity 2.0 / Phishing w OpenID — Sat, 20 Jan 2007 23:10:32 +0000

[...] Problem phishingu w OpenID jest bardzo poważny i nikt nie zamierza tego negować. Ben Laurie napisał na ten temat dwa ciekawe wpisy, w pierwszym z nich dość prowokacyjnie stwierdza, że OpenID jest rajem dla phisherów. I trudno odmówić mu niestety racji. [...]