Charles Darke | 23 January 2007I'm currently testing a simple fix to prevent phishing attacks on OpenID from malicious relying parties.
The idea is simple: I have a static IP address and so instead of asking for a password, I've modified an IdP to authorise by checking my IP instead of requesting a password. This has the obvious disadvantages of requiring a static IP and limiting you to posting from home.
For posting away from home, an alternative is to install a certificate in the browser and authenticate using this.
It's probably still wise to have passwords as a fallback option but you can be extra careful if you need to enter a password.
Update: I've put up proof-of-concept code here. The code is a hack but it shows that it can be done.
The idea is simple: I have a static IP address and so instead of asking for a password, I've modified an IdP to authorise by checking my IP instead of requesting a password. This has the obvious disadvantages of requiring a static IP and limiting you to posting from home.
For posting away from home, an alternative is to install a certificate in the browser and authenticate using this.
It's probably still wise to have passwords as a fallback option but you can be extra careful if you need to enter a password.
Update: I've put up proof-of-concept code here. The code is a hack but it shows that it can be done.
Add comment!
New topicComments (4)
IP6 here we come.
Written by Guest: Don Park at 3:10am, 25 January 2007.I've updated to include proof of concept code.
Written by Charles Darke at 10:14pm, 7 February 2007.This is kind of cool, but what about people who do NOT have a static IP or are logging in from a public computer such as at school, work, or a cybercafe?
Written by Guest: Andrew at 9:19pm, 28 March 2007.This is kind of cool, but what about people who do NOT have a static IP or are logging in from a public computer such as at school, work, or a cybercafe?
Again, it's just an idea rather than a recommendation. Obviously, this doesn't work when you're away from home unless you SSH/VNC/RDP into your home computer.
Otherwise, you will have to fall back onto something else e.g. browser certificates (which requires taking your computer (or at least a copy of the certificates) with you.
Ultimately, you'll probably have to fall back to passwords.
Written by Charles Darke at 1:05am, 29 March 2007.
Women like men in fast cars