From the website:
Sounds like this work complements WikiPassport.
OpenID is interesting, but its a pity security between the OpenID identity provider and the user has not been considered, leaving it exploitable by phishing. There have been a few ideas to allow users to customize their login forms on the identity provider, so they more difficult to copy, but most methods seem to require cookies. -- JaredWilliams
Its more attractive to phish it, as gaining a user & password means you can login into any web app that supports OpenID as the phished user. -- JaredWilliams
Hmmm...this is something that I plan on exploring more at http://socialsynergyweb.net/cgi-bin/wiki/OpenidEcomm/HomePage
So far I've seen people talk about
Phishing seems to me to be more of a risk when you are utilizing a third party IdentityProvider?, than when you are, for instance, your own IdentityProvider?, which is fairly easy to do with OpenID. Unless you are saying that people are able to mask their phishing site with your domain, for instance?
I think it could be interesting to really break down the mechanics of Phishing, and other OpenID security problems, and see what can be done about it.
For OpenID ecommerce, a verification system could easily be implemented, to make sure that someone is not masking or some how spoofing an OpenID url. -- SamRose
With respect to phishing: I think that the problem there lies with using passwords, not with using OpenID. I started an OpenID identity provider called certifi.ca (https://certifi.ca/ ) that only uses browser SSL certificates for authentication; no passwords are asked for, ever. I hope it's going to be useful for people. --EvanProdromou
Hmmm, certificates aren't likely to become mainstream in my opinion, people not knowledgable enough to use certificates are exactly the same people that will be more at risk from pishing.
Have seen another OpenID identity provider using certificates, http://www.prooveme.com/ , though they use the browser to generate the certificate (well not all obviously but the public/private pair). Still as Chris points out awkward with multiple machines.
Still waiting for a provider to sell usb tokens with their service. Could have certificates securely stored on it, or possibly a one time password generator. Most device manufacturers seem to be supporting [OATH] (HOTP) open standard now so intergrating into a web site is easy. Actually the apache project has the [triplesec project] which uses HOTP, and provides java ME application to allow phones etc to become OTP tokens. -- JaredWilliams
For instance, if I receive an email sayign that I need to visit ebay right away to update my password, and I click on the link to the form. When I proceed to submit information on a form, a window pops up and asks me "is this ebay" and has ebay's current authentic login machine information to check it against. If it doesn't match up, it warns me "THIS IS NOT EBAY! It is likely someone trying to steal your information!". This could cut down on phishing victims significantly if doen right, IMO -- SamRose
There was a paper on using browser plugin [Passpet] but unfortunately the software seems to be ready yet, [Passpet @ mozdev]. -- JaredWilliams
I've been watching and discussing certificates for a few years...
During this time, I've been wondering why they aren't catching on and I generally concluded that they were complicated enough to require technical support and that there wasn't all that much of a benefit to using them. Suddenly (as of late 2006-12) I find myself using them daily and ...
I just heard that Vidoop ( http://vidoop.com/ ) claims it has new technology based on OpenID that is easier to use and "more secure" than passwords. "Presumably Vidoop will be revealing more of what is behind its curtain at the Web 2.0 Expo in San Francisco on April 17th." -- [Say good-bye to passwords]
Vidoop is about 10 minutes from my place. Are these people that I should go talk to? -- DavidCary
Based on the screencast, while they claim they are defending against KeystrokeLogging?, if you have a keystroke logger installed on your computer, you're just as likely to have a remote desktop. It is not really a large leap to see attackers adapting by taking a screen capture of the Vidoop login sequence. Since the number of categories is small, all an attacker needs is a screen capture and password for one session, and they have a pretty good guess what your password is. On the other hand, there are 16 images, so there are only 120 possibly 2 image pairs for a login. If you have a large database of vidoop accounts, it should be possible to break into 1/40 of them through brute force and random chance (assuming 3 password attempts). I remain sceptical. -- SunirShah