Monday, May 26, 2008

Security through localization

Mike brags about how Infocards can interrupt/prevent a phish.

I tried the phishing demo and, even without using an Infocard, saw some indicators that would flag to even the most obtuse user that something was amiss.

The first clue was a warning from a faithful watch dog

Hmmm, Sxipper smells smoke, and is barking furiously to wake me up.

No bitch (Sxipper is female no?) is going to tell me what to do, so I persevered.

After going through the mental inventory of available OpenIDs alphabetically, I chose Blogger as OP.

The phishing RP sent me to the facsimile Blogger.

This set my spidy senses tingling. As my German is restricted to ordering 'Ein Stein' at the Hoffsbrau House, this seemed strange. Was this some new Blogger program to expand my linguistic horizons?

Not knowing the privacy policy of the demo site with respect to how they would handle my Blogger credentials, I stopped there.


Anonymous said...

Alphabetically? Hmm... since you can't delete it... why'd you skip over, what I'm guessing is, the first one in your list? ;-)

Paul Madsen said...

Actually George, I specifically defined the OpenID that you are referring to so that it would appear last in the list

My way of skewing the selection algorythm.