Full Disclosure mailing list archives

Re: OpenID. The future of authentication on the web?

From: "Petko D. Petkov" <pdp.gnucitizen () googlemail com>
Date: Mon, 24 Mar 2008 09:25:36 +0000

Let's put it this way,

It is easy to prevent phishing attacks against OpenID on the
client-side with browser extensions. In fact, I think that Firefox
will make this feature a default in their upcoming versions. It could
work exactly the same as the current trusted certificate authorities
every single web browser comes with. You will have a list of trusted
OpenID providers domains which are also cross-matched with their SSL
certificates and URLs. Done!

If firefox is not planning to implement this feature, heck I will code
it myself. This is a hello world XUL extension.

pdp

On Sun, Mar 23, 2008 at 11:16 PM, Steven Rakick <stevenrakick () yahoo com> wrote:

Many of you have brought up that OpenID is vulnerable
 to phishing and have highlighted weaknesses specific
 traditional username/password authentication.

 This was the main reason I bought up Information Cards
 in my original post. I've noticed that Beemba
 (http://www.beemba.com) and MyOpenID
 (http://www.myopenid.com) have both implemented
 Information Cards as an authentication option.

 Good idea?

 It seems to me that if you were to rely on Information
 Cards as opposed to username/password the phishing
 angle is mitigated. Is this not the case?

 -sr



      ____________________________________________________________________________________
 Be a better friend, newshound, and
 know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ



 _______________________________________________
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/




-- 

Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters

gnucitizen.org | hakiri.org | spinhunters.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: OpenID. The future of authentication on the web? Steven Rakick (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
- <Possible follow-ups>
- Re: OpenID. The future of authentication on the web? Steven Rakick (Mar 23)
- Re: OpenID. The future of authentication on the web? Steven Rakick (Mar 24)
  - Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)