[security] Phishing: Bookmarks to the rescue?

Ka-Ping Yee openid at zesty.ca
Sat Jan 20 16:53:19 PST 2007


In the shower today I thought of an approach (which is an extension
of Simon Willison's proposal) that could make a dent in the OpenID
phishing problem.  Upon re-reading Simon's post I realized that the
discussion on the post was headed in a similar direction.

In short, the provider asks users to bookmark the login page, and
tells them to always use the bookmark to log in.  The provider never
shows a login form in response to any request that contains a
Referer: header -- instead, it warns users always to use the bookmark.

I've explained it in more detail on my blog:

    http://usablesecurity.com/2007/01/20/phishing-and-openid/

Bookmarks have previously not been an adequate response to phishing
because users would have to create bookmarks for every site they
use.  But in combination with OpenID, the bookmark approach becomes
much more feasible.  What do you think?


-- ?!ng


More information about the security mailing list