About Me

Hi. I'm John Eckman.

John Eckman

I'm a Sr. Director at Optaros, a professional services firm offering strategy, design, development, and consulting services to enterprises interested in leveraging free and open source software.

More about me

About Open Parenthesis

Contact Me

Optaros

Dopplr
Upcoming Conferences
My Tweets

Posting tweet...

Powered by Twitter Tools.

Optaros Blogs
Affiliations

[FSF Associate Member]

Creative Commons
Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.
March 27, 2007
« Previous Post: Zimbra Desktop?
Next Post: Optaros Executive Events - “Unleashing the power of Web 2.0 and Open Source” »

Open Phishing

Tagged with: , , — John @ 2:51 am

(via Rod Begbie)

Marco Slot has written up a “Beginner’s Guide to OpenID Phishing” to demonstrate how vulnerable the popular distributed identity system can be to impersonation / person-in-the-middle attacks.

The real problem, of course, is the reliance on username/password based authentication schemes, and the ease with which a login form (for the OpenID provider itself) can be spoofed - even dynamically spoofed so that the phishing site can be reacting in real time to whatever provider you’ve used.

OpenID is a great system we’d all like to see succeed, but in it’s current form it must be used rather cautiously and with an eye out for attacks like those Marco describes.

Trackback url for this post: http://www.openparenthesis.org/2007/03/27/open-phishing/trackback

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

« Previous Post: Zimbra Desktop?
Next Post: Optaros Executive Events - “Unleashing the power of Web 2.0 and Open Source” »