[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-users] OpenID security? Is it a joke?
|
From: |
Karl Goetz |
|
Subject: |
Re: [Savannah-users] OpenID security? Is it a joke? |
|
Date: |
Sat, 1 Aug 2009 18:43:56 +0930 |
On Sat, 1 Aug 2009 00:44:14 +0100
Davi Leal <address@hidden> wrote:
> Sylvain Beucler wrote:
> > Davi wrote:
> > > Karl Goetz wrote:
> > > > OpenID consumer support?
> > - back up your claims
> >
>
> Read http://en.wikipedia.org/wiki/OpenID#Security_and_phishing .
> Please read references too. You ask for information, so read and
> understand all them.
The relevant part of the article seems to be this[1]:
Some observers have suggested that OpenID has security weaknesses and
may prove vulnerable to phishing attacks.[54][55][56] For example, a
malicious relying party may forward the end-user to a bogus identity
provider authentication page asking that end-user to input their
credentials. On completion of this, the malicious party (who in this
case also control the bogus authentication page) could then have access
to the end-user's account with the identity provider, and as such then
use that end-user’s OpenID to log into other services.
This isn't OpenID specific. If a malicious website refers you to a
special log in area you still lose your details.
[1] I won't have time to read the related references until next week.
> Do you know any bank which offer OpenID as authentication mechanism?
> Realize a good analysis please.
If your referring to your bank metaphor when you say "Realize a good
analysis please", no, I do not think this is good analysis.
kk
--
Karl Goetz, (Kamping_Kaiser / VK5FOSS)
Debian contributor / gNewSense Maintainer
http://www.kgoetz.id.au
No, I won't join your social networking group
signature.asc
Description: PGP signature
- Re: [Savannah-users] OpenID security? Is it a joke?,
Karl Goetz <=