On 19 Jan 2007, at 14:19, Ben Laurie wrote: > Still totally unhappy about the phishing issues, which I blogged > about here: > > http://www.links.org/?p=187
I have a proposal which I think could greatly reduce the risk of phishing: identity providers should /never/ display their login form (or a link to the form) on a page that has been redirected to by an OpenID consumer. Instead, they should instruct the user to navigate to the login page themselves. The login page should have a short, memorable URL and users should be encouraged to bookmark it themselves when they sign up for the provider. The OpenID "landing page" then becomes an opportunity to help protect users against phishing rather than just being a vector for the attack. I've fleshed this out on my blog: http://simonwillison.net/2007/Jan/19/phishing/ Does that sound workable? Cheers, Simon _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
