myVidoop passes the ‘fun’ security test

Fun Communications made a neat little site http://idtheft.fun.de/ that lets you mount a man-in-the-middle based phishing attack against your OpenID provider of choice. It is useful for testing and we would suggest people check out their own provider, the results may be interesting. Mike Jones used the site to check out a couple providers and posted his results.

Vidoop is happy to report our OpenID provider myVidoop was not phishable. There are a number of things we do to prevent phishing including requiring browser activation, use of the ImageShield itself, etc. In this case the attempt likely failed because Fun’s site was not able to mimic the JavaScript code and/or the ImageShield was unable to be scraped. You also would have been protected if you use our browser plug-in (IE and FF versions available) for logging in to myVidoop. Though we aren’t patting ourselves on the back quite yet. There is still much work to be done to make things even more secure with myVidoop and OpenID. As Michael Graves points out in a comment on Mike’s post:

…the “webness” of OpenID also means it inherits many of the weaknesses of the web, and the vulnerability to phishing attacks is one of those weaknesses…

This has naturally led to discussion about the vulnerabilities of OpenID and what is being done to address these issues. The answers are out there in the form of PAPE, a protocol that lets OpenID providers assert what level of phishing protection they offer. OpenID providers like Vidoop and Verisign need to keep adding levels of security on top of basic OpenID authentication. Continued education efforts and improvements in usability will also help OpenID to keep growing at a rapid pace.

By: Kevin Fox on May 27, 2008 at 8:15 pm | Category: Authentication, Human Cognition, Interesting, OpenID, myVidoop.com, security

Trackback | Comments [RSS 2.0]

2 Responses to “myVidoop passes the ‘fun’ security test”

Comments

Michael Graves

2008/05/28 at 11:31 am | Link

Hi Kevin,

Mike Jones’ post does a nice job covering fun.de’s demonstration of the “web weakness” of OpenID. I salute the extensions and protective features that OpenID providers like Vidoop and VeriSign have introduced to help users with respect to this issue. In case it not’s clear (to your readers perhaps), the thrust of Jones’ post was that myopenid.com’s support for InfoCard represents the kind of elegant integration of additional security features that OpenID has welcomed and anticipated from the begining. OpenID is not InfoCard and InfoCard is not OpenID; they do different things and work together in a complementary way.

Client SSL certificates is another service feature JanRain offers to myopenid.com, and one that had to be omitted to demonstrate the phishing vulnerabilities (in addition to assuming the user will not take heed of the URL cues or missing personal icon in the authentication page). Using client SSL certificates, (or InfoCard, as Mike Jones showed), myopenid users are not susceptible to the fun.de phishing attempt.

In any case, fun.de is an important and useful reference point for OpenID providers and their users in configuring OpenID services for maximal utility and security. It’s important that the providers in this space enumerate the features and policies available which provide protections against attacks like this — myopenid.com has multiple ways of doing this. It’s good to hear that Vidoop can’t be scraped, and I know from my experience with VeriSign’s seatbelt that that bit of extension to your browser is also effective in neutralizing phishing attmpts like fun.de’s. A rich array of protective features from the providers in this space is important for the healthy growth of OpenID.

-Mike
OpenID and Phishing « Identity Blogger

2008/06/04 at 6:41 am | Link

[...] sites like Vidoop are more Phishing resistant than others (Vidoop also has a browser plug-in that is available on [...]

Don't have an OpenID? Click here to get a myVidoop OpenID