PlusNet Community Website

Yes we did meet up last night

• Tam continued is work on some prototypes for how we’d model the login boxes for the community site with OpenID in mind. You can take a look at his current prototype concepts.
• Colin has resurrected his work with combining OpenID with Cryptocard’s two part auth system. He’s been struggling with getting the RADIUS client working.
• Paul consulted with Nigel (one of our architects) about how to get OpenID into our portal authentication system. There’s a convenient spot for it to go in, a gotcha to do with accessing a PlusNet identity provider from a PlusNet webserver and the necessity of a security review of any code added intended for live.

What did I do? I refreshed myself on the phishing stuff following last weeks Cryptocard conversation. I was mostly working through the examples talked about in Marco Slot’s Beginners Guide to OpenID Phishing.
He describes 3 different ‘levels of phishing’ which openID is susceptible to. I’ve made the links available to our developers internally to make sure they are aware of thinking of these things.

I can’t help but wonder if you can get around the ‘level 2′ phishing approach via the use of some sort of referrer checking. I.e. are the images being loaded on this page being called from the correct OpenID login form. If not, display phishing warnings. Is that simple to get around? Or does it add a sufficient level of difficulty for the phishermen to not warrant the effort?

Feel free to debate below

Bookmark to:

This entry was posted by Kelly Dorset on Friday, March 7th, 2008 at 4:22 pm and is tagged with and is posted in the category OpenID Guerrillas, Web Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.