If you want see how this really happens, you can try out OpenID Phishing demo . And if you don't want to try it out Mike Jones has illustrated how OpenID Phishing demo works in his blog post "Gone Phishing". Stefan Brands also summarizes security issues of OpenID in his post “The problem(s) with OpenID”. And further, Ben Laurie’s describes this problem in more detail in his post "OpenID: Phishing Heaven" . In response, Simon Willison suggests how OpenID providers can help to reduce the risk of phishing. The idea is to make users directly go to the OpenID provider without redirecting them or making them follow links. According to Simon, “Instead of displaying the login form directly, providers should show a page that looks something like this: To log in, please navigate to login.example.com. The page your are currently viewing should contain no links; if there are any links or this text is changed in any way you may become a victim of online identity theft.”. He also suggests that OpenID provider URLs should be short, distinctive and memorable to make this effective. Yes, most of people agree that the best solution to prevent phishing is to educate the users but then again is this really possible ? Will some ordinary person will remember this if he is forwarded impersonating web sites which will directly offer a login screen or a link. Will someone who don't care a thing about what is on address bar will notice that is is not http://myopenid.com ?
One way of doing this is OpenID providers forcing users to use bookmark to login to OpenID provider. My OpenID's SafeSignIn is one such solution. But if someone impersonating the OpenID provider puts up a nice message saying as a new feature now you can login directly without using the bookmark how many people will fall in to that. Another solution is to use some pre configured images or icons , so that only the real provider can present you with the image/icon you chose and if you don't see the image/icon you can notice that you have landed on a spoofed site. Yahoo Sign in Seal and My OpenID's Personal Icon are two such solutions. But again, this depends on how much user is aware of these features. VeriSign's OpenID SeatBelt Plugin is another approach taken to prevent phishing. This plugin has an “Enable Phish Detection” option and when it is enabled, it tries detect phishing attempts when we are redirected to OpenID providers and always redirect us to the legitimate OpenID provider. Another solution is to use OpenID with Infocards.Kim Cameron talks on how to prevent phishing attacks with Infocard in detail in his blog post "Integrating OpenID and Infocard" .There are seems to be many other custom efforts to avoid phishing attacks but OpenID seems to be moving to a standard solution.
OpenID Provider Authentication Policy Extension (PAPE) specification tries to solve this problem by enabling OpenID relying parties to request that a phishing-resistant authentication method be used by the OpenID provider and for providers to inform relying parties whether a phishing-resistant authentication method was used. So if the OpenID provider doesn't authenticate the user in a phishing resistant way, OpenID provider should let the relying party know that it didn't use phishing resistant authentication so the relying party can decide what to do. But is this completely bullet proof ? This only guarantees that OpenID provider used a phishing resistant authentication this time as replying party asked so and it doesn't necessarily mean that it always used a phishing resistant authentication. What if some phisherman, impersonated a relying party and user has already become a victim of a phishing attack. Then when the legitimate relying party asks the open id provider to do the authentication in a phishing resistant manner, still the phisherman can succeed as he has already got the necessary information.
So it seems, protecting an average user from phishing only using the technology (without educating him with security concerns ) is a pretty hard thing. And yeah, we have to agree it is an inherent problem and not a problem of OpenID itself. So will we be able to get rid of phishing without users support just using the technology ? May be we will, someday. Who knows ....
Bookmark this post with:
0 comments:
Post a Comment