savannah-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-users] OpenID security? Is it a joke?


From: Karl Goetz
Subject: Re: [Savannah-users] OpenID security? Is it a joke?
Date: Sat, 1 Aug 2009 18:43:56 +0930

On Sat, 1 Aug 2009 00:44:14 +0100
Davi Leal <address@hidden> wrote:

> Sylvain Beucler wrote:
> > Davi wrote:
> > > Karl Goetz wrote:
> > > > OpenID consumer support?

> > - back up your claims
> >
> 
> Read http://en.wikipedia.org/wiki/OpenID#Security_and_phishing .
> Please read references too. You ask for information, so read and
> understand all them.

The relevant part of the article seems to be this[1]:

Some observers have suggested that OpenID has security weaknesses and
may prove vulnerable to phishing attacks.[54][55][56] For example, a
malicious relying party may forward the end-user to a bogus identity
provider authentication page asking that end-user to input their
credentials. On completion of this, the malicious party (who in this
case also control the bogus authentication page) could then have access
to the end-user's account with the identity provider, and as such then
use that end-user’s OpenID to log into other services.

This isn't OpenID specific. If a malicious website refers you to a
special log in area you still lose your details.

[1] I won't have time to read the related references until next week.

> Do you know any bank which offer OpenID as authentication mechanism?
> Realize a good analysis please.

If your referring to your bank metaphor when you say "Realize a good
analysis please", no, I do not think this is good analysis.
kk

-- 
Karl Goetz, (Kamping_Kaiser / VK5FOSS)
Debian contributor / gNewSense Maintainer
http://www.kgoetz.id.au
No, I won't join your social networking group

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]