posted by (anonymous) at 08:38pm on 2009-06-09
What's to stop a site from putting up a fake login page and collecting user names and passwords? I guess the login page would have the wrong URL if they did that, but I bet a lot of people don't check.

Bill
dglenn: Me in kilt and poofy shirt, facing away, playing acoustic guitar behind head (Default)
posted by [personal profile] dglenn at 09:01pm on 2009-06-09
I did think of that (though it's not as bad as you describe -- see below), and the same solution you suggested (look at the URL displayed in the location bar to see that it's coming from the right place), and the same worry that some folks might not check.

All I can really say is, "remember to look at the URL before clicking 'yes'," and hope my friends are observant enough if such a malicious site ever shows up. I'm thinking that the folks who are avoiding OpenID for lack-of-trust reasons would think to verify that the URL is correct, rendering the scheme safe after all (as long as they weren't half-asleep one time ... hmmm.)

Now if you're already logged into your home site, there's never any password asked for that a malicious site could collect -- your home site uses your login cookie to know you're you, and just asks permission to authenticate you to the foreign site. Only if you're not logged in at your home site and that site presents a login page when asked to authenticate you, would there be a password field for you to type into. So the malicious site would have to spoof your home site's login page, not the "okay to authenticate?" page. If you are logged in and you get a login page, that should ring alarm bells, even if sleepy.

So yeah, a malicious site could Trojan this, but it'd be low-payoff for the effort. Not saying it won't happen; saying I'm not expecting it to become a major problem.

Note that using the "ok to authenticate?" page, there'd be no point in spoofing that because there'd be no information to collect[1] without the home site having sent it (which means the home site having gotten an answer to its authentic authentication-permission page), so the only thing the malicious site could really do is declare someone to be whom they say they are without verifying that with the site they claim to be from -- not gathering any information; just making it easier for others to spoof you on that site by not really checking identity.

So I think the big hole here, and its solution, is: always check the URL of a login[2] page, just as everybody -- I hope! -- already checks that the location bar truly does say, "https://www.paypal.com/..." before typing in their PayPal password. With that habit, OpenID is safe; without that habit, one has much, much bigger threats to worry about.


[1] LJ states that public information in your profile may be shared, but the malicious site doesn't need to trick you to get any of that.

[2] any page that asks for a password, whether it calls itself a login page or not.

Links

November

SunMonTueWedThuFriSat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
 
30