What You Need to Know About Phishing
Many security experts suggest that the greatest flaw of OpenID is the potential for phishing - tricking a user to log into a fake OpenID provider which pretends to be their actual provider. This gives the phisher the user's OpenID password, which they can then use to log in to all the user's OpenID sites. However...
Secure Authentication with TrustBearer OpenID
Because of the way TrustBearer OpenID works, no passwords are exchanged between the user and the provider. Instead, encrypted random data (a "challenge") is sent to the user's trusted device. The device then accepts the user's PIN, decrypts the data, and sends it (a "response") back to the provider. Once the provider validates the response, it knows that the device you are using actually belongs to you, therefore allowing you to log in to any sites associated with that device. Because no passwords change hands, there is nothing to phish, and any intercepted data is completely meaningless and useless to a phisher.
Mimic Attack
A relatively simple phishing attempt can be made on a user by utilizing a relying party and provider combination. A malevolent site can ask users to register by supplying their OpenID URL, and then render a fake provider page based on that URL. When the user logs in to what they think is the provider page, they actually are giving their password only to the phisher, who can then use it to log in to the real provider later. Furthermore, the phisher could use a separate domain name which utilizes a Unicode homograph technique so that the URL of the fake provider site is indistinguishable from the URL of the real provider site, to complete the illusion. This kind of attack could be perpetrated for any password-based OpenID provider; only carefully checking the provider's certificate or IP address would reveal it to be fraudulent. However, TrustBearer OpenID is not affected by such an attack - a user could only be tricked into providing their PIN to a look-alike site, but unlike a password, that PIN would be useless to the phisher because the phisher does not have the physical trusted device it unlocks.
Proxy Attacks
A clever phisher might craft a web site that looks and behaves like the TrustBearer OpenID site. Depending on the level of complexity, the phisher may choose to act as a go-between for the user and the provider, which is called a "proxy" attack. For password-based OpenID providers, this would reveal your password to a phisher, who would then use it to log a user in on the actual provider's site, making it appear as if nothing bad had happened. But the phisher would then have your password, and be able to use it on any of your OpenID sites.
With TrustBearer OpenID, however, only sites authorized by TrustBearer Labs can use the TrustBearer Live system to access a user's trusted device. Even if the files needed to access the token are modified on the fly to allow another site to use them, they will not pass the checks imposed by the browser plugin, because they are not signed by TrustBearer Labs. Even if a phisher goes all the way to modify the plugin itself, it will not be signed by TrustBearer, and users browsers will warn them that the plugin does not come from a trusted source.
Man-in-the-Middle Attacks
Phishers may also intercept data being sent between the user and
the provider, without pretending to be either one of them. This is
called a "man-in-the-middle attack." All OpenID providers,
including TrustBearer OpenID, using HTTP over SSL will thwart this
technique. (Note that for compatibility, TrustBearer OpenID
supports both HTTP and HTTP over SSL (HTTPS) protocols. Be sure to
use https://openid.trustbearer.com/<username> as
your identity URI to avoid man-in-the-middle attacks.) Furthermore,
TrustBearer OpenID is significantly less vulnerable to this than
other providers, because information being transmitted between the
client and server is good only for the current session, unlike
passwords which are useful until users change them.
SSL Error Message Examples
The following browser messages may indicate that a malicious site is trying to obtain your credentials when using an SSL connection to an OpenID site:
Internet Explorer 6
Firefox 2
Firefox 3
