[SGVLUG] "phising" for OpenID's

Emerson, Tom (*IC) Tom.Emerson at wbconsultant.com
Thu May 17 12:07:34 PDT 2007 

Don't you just hate it when you buy some new piece of hardware, find it
"doesn't quite work", and the vendor/support website has a typical
"PHP:BB" forum that you have to register yet another [throwaway] account
that you'll forget in a weeks time?

Well, there is a (grass roots?) movement out to create something known
as an "openID" [http://openid.net] -- basically, it is a URI/URL that
uniquely identifies "you", so that every time you find a new "forum" you
don't have to futz around with creating that throw-away ID.  I'm not
entirely certain how it works (the website tries to explain it, but it's
not sinking in quite yet) but what I understand of it is that when you
encounter a site that is participating in this, you enter your "URI"
[usually, your own "blog" site] and it then /redirects/ your browser to
your own site in such a way that "your site" knows that this is an ID
request and you can then add an authorization for that site to allow you
to log on [yeah, clear as mud...]

In any case, it seems that this grand idea is still subject to phishing
scams, ranging from the usual phishing lure to one that is pure beauty
in it's simplicity :)

  1) [the standard method] redirect the user to /your own copy/ of the
login/auth screen for that site (such as AOL)  hope and pray the users
don't notice you've sent them to http://hard_coded_ip/myfakelogin.html
instead of the "real" page

  2) [a little more involved as it adapts to changes by the site]
dynamically re-create the page by querying the site proper and simply
skim the values as you pass them thru.  Same caveat as above, but if the
"provider" changes their logon form, people are more likely to notice an
"out of date" version of it when using the above technique

  3) [pure genius] present the user with TWO fields: your openID "URI"
AND the "password".  The reason this is so slick is that users are
accustomed to a two-field entry, so they'd go blasting rigth ahead and
submit both values without realizing that they aren't supposed to be
PROMPTED for a password UNTIL they get to the "redirected" site...

More information about the SGVLUG mailing list