lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 24 Mar 2008 09:25:36 +0000
From: "Petko D. Petkov" <pdp.gnucitizen@...glemail.com>
To: "Steven Rakick" <stevenrakick@...oo.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: OpenID. The future of authentication on the
	web?

Let's put it this way,

It is easy to prevent phishing attacks against OpenID on the
client-side with browser extensions. In fact, I think that Firefox
will make this feature a default in their upcoming versions. It could
work exactly the same as the current trusted certificate authorities
every single web browser comes with. You will have a list of trusted
OpenID providers domains which are also cross-matched with their SSL
certificates and URLs. Done!

If firefox is not planning to implement this feature, heck I will code
it myself. This is a hello world XUL extension.

pdp

On Sun, Mar 23, 2008 at 11:16 PM, Steven Rakick <stevenrakick@...oo.com> wrote:
> Many of you have brought up that OpenID is vulnerable
>  to phishing and have highlighted weaknesses specific
>  traditional username/password authentication.
>
>  This was the main reason I bought up Information Cards
>  in my original post. I've noticed that Beemba
>  (http://www.beemba.com) and MyOpenID
>  (http://www.myopenid.com) have both implemented
>  Information Cards as an authentication option.
>
>  Good idea?
>
>  It seems to me that if you were to rely on Information
>  Cards as opposed to username/password the phishing
>  angle is mitigated. Is this not the case?
>
>  -sr
>
>
>
>       ____________________________________________________________________________________
>  Be a better friend, newshound, and
>  know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>
>
>  _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>



-- 

Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters

gnucitizen.org | hakiri.org | spinhunters.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ