Here's a post about potential OpenID phishing problems by Ben Laurie, long-time security avocate who played an important role in getting SSL into open source. He's now at Google. Don't misinterpret his intentions despite his characteristically colorful introductory sentence – in a subsequent piece he makes it clear that he too wants to find solutions to these problems.
OpenID announced the release of a new draft of OpenID Authentication 2.0 today. Iâ€™m reluctantly forced to come to the conclusion that the OpenID people donâ€™t care about phishing, since theyâ€™ve defined a standard that has to be the worst Iâ€™ve ever seen from a phishing point of view.
OK, so whatâ€™s the problem? If Iâ€™m a phisher my goal is to be able to log in to some website, the Real Website, as you, the Innocent Victim. In order to do this, I persuade you to go to a website I control that looks like the Real Website. When you log in, thinking it is the Real Website, I get your username and password, and I can then proceed to empty your Paypal account, write myself cheques from your bank account, or whatever fiendish plan I have today.
So, why does OpenID make this worse? Because in the standard case, I (the phisher) have to make my website look like the Real Website and persuade you to go to it somehow – i.e. con you into thinking I am the real Paypal, and your account really has been frozen (or is that phrozen?) and you really do need to log in to unphreeze it.
But in the OpenID case I just persuade you to go anywhere at all, say my lovely site of kitten photos, and get you to log in using your OpenID. Following the protocol, I find out where your provider is (i.e. the site you log in to to prove you really own that OpenID), but instead of sending you there (because, yes, OpenID works by having the site youâ€™re logging in to send you to your provider) I send you to my fake provider, which then just proxies the real provider, stealing your login as it does. I donâ€™t have to persuade you that Iâ€™m anything special, just someone who wants you to use OpenID, as the designers hope will become commonplace, and I donâ€™t have to know your provider in advance.
So, I can steal login credentials on a massive basis without any tailoring or pretence at all! All I need is good photos of kittens.
I had hoped that by constantly bringing this up the OpenID people might take some step to deal with the issue, but they continue to insist on punting on it entirely:The manner in which the end user authenticates to their OP [OpenID provider] and any policies surrounding such authentication is out of scope for this document.
which means, in practice, people will authenticate using passwords in forms, as usual. Which means, in turn, that phishing will be trivial.
Like me, Ben was struck with how readily the system currently lends itself to automation of phishing attacks. His second post on the subject is also interesting.