OpenID and Phishing

I am probably going to make a lot people mad here, but all this talk of OpenID and Phishing made me think of this demotivator: 

But seriously. The recent Fun OpenID Phishing Demo shows just how troutish the typical OpenID user would if the technology was ever adopted for serious use. With OpenID (as with all SSO technologies) once they have your master login credentials they have access to all your SP accounts. Too many OPs are far too easy to Phish.

Touting the added security of an additional browser plug-ins (especially one that is only available on Firefox) is simply not going to cut it. SPs have to believe that OpenID provides sufficient protection for all their customers assuming a vanilla browser or it won’t be adopted for serious use.

Some sites like Vidoop are more Phishing resistant than others (Vidoop also has a browser plug-in that is available on both Firefox and IE). Also relying on Information Cards to authenticate to the OP provides a high degree of Phishing resistances. But relying on sites to be Phishing resistant would force SPs to a White List approach.

Perhaps OpenID + White Lists + Phishing Resistant OPs would keep Mr. Trout safe and happy.

PAPE is supposed to address this. But trust is all about knowing who you are dealing with. If I don’t know you, how can I trust you will really honor your promise? Likewise how does an SP trust that a previously unheard of OP will honor the promises it makes via PAPE in regards to authentication? 


2 responses to “OpenID and Phishing

  1. Bad rap for the trout? As founder of the internationally famous attitude-jazz band Wild Trout, former Smokey Mountains trout farmer, and leading supporter of trout everywhere, I must protest this facetious view of an iconic phish. 🙂

  2. I apologize if I have offended any trout, wild or otherwise.

    Swim long and prosper.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s