[OpenID] Phishing and OpenID

Ka-Ping Yee openid at zesty.ca
Fri Jan 19 15:35:35 PST 2007


As others have noted, a significant problem with OpenID (and most
of the other single-sign-on schemes I've seen) is vulnerability to
phishing.  I've brought this up before and had assumed that most
of these schemes would not get off the ground because of the
severity and obviousness of the problem -- but I was wrong.  Ease
of use has trumped all other concerns (for the time being), and
OpenID certainly does well in the ease-of-use department.

OpenID is not neutral with respect to phishing, however.  Unfortunately,
it helps train users that being phished is a normal interaction.

OpenID login:

    1. Visit a site I've never seen before.
    2. Enter my OpenID in the login form.
    3. See the login form for my OpenID provider.
    4. Submit my username and password.

Phishing attack:

    1. Visit a site I've never seen before.
    2. Enter my OpenID in the login form.
    3. See the login form for my OpenID provider.
    4. Submit my username and password.

OpenID's ease of use is based on keeping steps 1 and 2.  It's only
in step 3 that the user has the opportunity to check the identity
of the site -- whether it's by looking at the URL, checking the
certificate, recognizing a shared secret phrase or picture, etc.
And I am convinced that users will not do such a check when it is
ancillary to their main workflow (enter password, click button).

I see that there's been some discussion here about countermeasures.
Many sites are trying various countermeasures now as part of their
login and password systems (bigger warnings, personalized images,
etc.), but again, they all require users to pay attention to
something auxiliary to what they're doing (and in most cases, they
require users to notice the *absence* of something auxiliary to what
they're doing, which is even worse).  Don't waste time talking about
these -- none are taken seriously in the security community because
they have not been shown to work, no one expected them to work, and
studies so far suggest they do not work.

It comes down to this:

    *** For an anti-phishing solution to work, it must incorporate
    site identification into the normal user login interaction. ***

Here's one possible suggestion for something that might work:

    http://cups.cs.cmu.edu/soups/2006/proceedings/p32_yee.pdf

It's not the only way, of course, but so far it's the only detailed
proposal I've seen that makes the safe path more convenient and
habitual than the unsafe path.


-- ?!ng


More information about the general mailing list