| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6905b1570803240225t60860ba6qedc7bc2ae7e4c661@mail.gmail.com> Date: Mon, 24 Mar 2008 09:25:36 +0000 From: "Petko D. Petkov" <pdp.gnucitizen@...glemail.com> To: "Steven Rakick" <stevenrakick@...oo.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: OpenID. The future of authentication on the web? Let's put it this way, It is easy to prevent phishing attacks against OpenID on the client-side with browser extensions. In fact, I think that Firefox will make this feature a default in their upcoming versions. It could work exactly the same as the current trusted certificate authorities every single web browser comes with. You will have a list of trusted OpenID providers domains which are also cross-matched with their SSL certificates and URLs. Done! If firefox is not planning to implement this feature, heck I will code it myself. This is a hello world XUL extension. pdp On Sun, Mar 23, 2008 at 11:16 PM, Steven Rakick <stevenrakick@...oo.com> wrote: > Many of you have brought up that OpenID is vulnerable > to phishing and have highlighted weaknesses specific > traditional username/password authentication. > > This was the main reason I bought up Information Cards > in my original post. I've noticed that Beemba > (http://www.beemba.com) and MyOpenID > (http://www.myopenid.com) have both implemented > Information Cards as an authentication option. > > Good idea? > > It seems to me that if you were to rely on Information > Cards as opposed to username/password the phishing > angle is mitigated. Is this not the case? > > -sr > > > > ____________________________________________________________________________________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists