Talk:OpenID Phishing Brainstorm

I have not attributed the ideas to their respective originators. Feel free to make edits to add the necessary credits.

-- =wil 22 January 2007 (PST)

Client-Based Mitigation

This will not work when the rouge RP is using a HTML injection vulnerability on the OP. -- 3247 07:51, 21 January 2007 (PST)

I suggest that OP should include some special markup on login page. Client can recognize if webpage claims to be OP and then react (change chrome, present chrome-based login box, check if this OP is on whitelist, if user logged in to this webpage before and so on, warn user if OP seems to be fake or even block login). If special markup is not used, the fake-OP will look very different than true-OP.Marcin Jagodzinski

"examine domain name"?

Is checking the browser's address bar all that it takes to confirm that one is not subject to a phishing attack? Or is there more to it? samwilson 14:26, 1 January 2008 (PST)

Retrieved from "http://wiki.openid.net/Talk:OpenID_Phishing_Brainstorm"

OpenID

Talk:OpenID Phishing Brainstorm

Client-Based Mitigation

"examine domain name"?

Navigation

Search

Views

Personal tools

Toolbox