OpenID: Phishing

By David Rosen

Here at last, is the final installment in our 3 part discussion of OpenID. In Part 1 we answered the question, “What is OpenID?” In Part 2 we looked at the benefits and risks that come with using OpenID. Today in Part 3, we’re going to finish our discussion of OpenID by taking a closer look at one of it’s greatest vulnerabilities. Phishing.

Before we delve into how Phishing applies to OpenID, let’s first take a look at a traditional Phishing example:

You check your email and find a (phony) email saying, “Your credit card will be closed unless you log in now to verify our records!!!! Click here to log in and verify your account now!” The phony email very helpfully presents a hyperlink to take you (supposedly) to your Credit Card Company’s website. In actuality, the link takes you a phony site which LOOKS just like your normal Credit Card login page but with one minor difference: the URL bar has the wrong address. If you fail to notice this one difference, then upon entering your username and password, the phisher will now have full access to your Credit Card account.

There are a few key hurdles the phisher has to overcome in order for this attack to be successful:

  1. The email has to be convincing enough to get your attention, but not so over-the-top as to appear phony.
  2. You have to actually click the link provided in the email.
  3. The phishers have to guess which Credit Card Company login page to mimic (American Express looks different than Visa, etc).
  4. The URL must be good enough to fool you. It must either be similar to the real thing, hidden, or obscured.

If, at any one of these steps, you get suspicious enough to not enter your username and password, then the phisher loses.

OpenID makes this process far easier, for the phisher, by completely eliminating the first 3 of these obstacles. How can this be? Take a look at the following OpenID phishing example:

While researching woodworking, you find a nice set of plans for a workbench at The plans are free to download once you create a login for the site. Luckily, they accept OpenID logins, so you won’t have to waste a bunch of time filling stuff in. You click login and then follow the instructions to enter your OpenID URL. Unbeknown to you, instead of redirecting you to your OpenID login page, simply follows the URL, and copies your login page, on the fly, to their own phishing server, which happens to have a long, unpronounceable URL. This server logs everything you type to a handy, searchable Database (based on EvilSQL 2.0). You, however, simply find yourself staring at an exact replica of your normal login page that you’ve seen a thousand times, aside from the URL. And instead of looking at that long and unpronounceable URL, your eyes gravitate to the slowly blinking cursor which is waiting patiently for you type in your username and password. The muscle memory in your fingers takes care of typing out the login details. You hit enter. You download your Work Bench Plans for free. A week later, you log back in and leave a comment thanking for the nicely done PDF.

Alas, the fly in the sauce here, is that the Phisher’s Database now contains your OpenID URL, your OpenID Username, and your OpenID password. They have obtained, with elegance and style, the keys to your castle.

Everything that you use OpenID for now belongs to the Phisher.

How can this be? Why? The key point of failure in the above OpenID example is the redirection process. Normally (without OpenID), when you log in to a website, say, you enter your username and password on a page hosted somewhere on that company’s domain. If you went to log in to, and it redirected to you to some other website, with a totally different design, a different URL, and a different name, then you would be pretty darn suspicious that something phishy was going on. However, with OpenID, being redirected like that is simply business as usual. OpenID trusts the 3rd party site ( in this case) to redirect you to your OpenID provider’s log in page. That trust is the key flaw which upon which phishers will prey. The fact that you have to trust a criminal with part of the log in process is what causes this to be such a catastrophic vulnerability in OpenID.

Obviously, not every site is run by thieves. The real downside here is how do you know which is which? Since OpenID uses the same log in info everywhere, if the 99th site you log in to hits you with a successful phishing attack, then every previous (and future) site is now compromised as well.

OpenID is not without benefits, though. As we discussed previously, OpenID can potentially streamline and simplify the log in and sign up processes at supported websites. The potential conveniences it offers are definitely attractive.

Would I use OpenID? Sure. Given a couple caveats:

  1. I only intended to use OpenID at low value sites
  2. I only use https OpenID URL’s in order to minimize the risk of phishing
  3. I only use OpenID at sites with which I already have a trust relationship

OpenID stands to improve considerably as it progresses. Perhaps the best part about OpenID is that it’s Open Source. It’s development is shaped and directed by the community which uses it.

The bottom line:

If you’re an early adopter who like to play with new toys and you have a good eye for security issues (or a extremely high risk tolerance), then OpenID is a great playground.

If you are just looking to make your online life easier and more streamlined, then stay away from OpenID for now. It’s not ready for prime time yet, and even though it seems like we’ve talked about some nasty looking flaws, there are likely even more problems yet to be uncovered.

Turning Lemons into Lemonade – and Adding Song!

Remember that horrible writer’s strike that the Writer’s Guild subjected us all to? Of course you do! If you watched any regular programming during last year’s television season, your shows were disrupted and TV pretty much came to a standstill.

During that awful time, a group of very creative guys (the Whedon brothers) wrote a comical  musical for Internet distribution only. The idea was to entertain, provide something of worth for those of us starving for new content, and simply crack a joke or two. This musical was available for free to watch streaming from the web site for several weeks and is now available on iTunes for a mere $1.99 per episode or $4.99 for the season pass to all three.

What am I talking about? Why, Dr. Horrible’s Sing-Along Blog of course! I know, I know, this isn’t “new” – but did YOU already know about it? If not, you’ve got to do yourself a favor and take 43 minutes to enjoy this wonderful creation. You’ll find yourself humming the tunes, and later, reaching to watch it again and again. Catchy, it is. And hey, if you’ve already seen it, isn’t it time to watch it again?

10 Things You May Not Know About Blogger

1. Blogger is a Turnkey solution. Once you sign up, you simply choose a blog name and a template, and you’re good to go! You can even rename your blog, giving it a new website address, if you decide you like a different name better without having to create a new account.

2. There are 16 preset templates to choose from, including some that have multiple variations bringing the template choice up to 38! This includes only what Blogger provides, but you can find plenty of other templates in a variety of locations. Plus, you can change anything you want with the template, and use a pre-existing one as a skeleton from which to build. Let me explain…

3. Want to change the color scheme of your template without messing with the code? You can point and click your way through a color makeover, and preview your changes as you make them without making any commitments. Easy changes without knowing a lick of HTML!

4. If hands-on code is what you want, you can do that too!  Change how much or how little you like, even change from two columns to three! Click Preview to load the page in a new tab or window so you can see exactly what things will look before saving. Don’t like the changes? No problem – nothing will change until you hit “Save Template.”

The HTML and CSS are together in the same file, so all the code you need to make a fantastic looking site is all there, in one place. If you’re under the impression that you can’t make a great look site with Blogger, take a look at The Blog of Doug Cloud. Doug’s site is a wonderful example of just how much you can customize your Blogger Blog. Go ahead, drool on his site a bit, he won’t mind.

5. Now let’s say you want to add some interactive features to your site. MyBlogLog is a great example.

You can hop on over to MyBlogLog, create an account, and gather the appropriate code to copy/paste into Blogger. Once you have the code copied, head back to your Blogger Dashboard and go to Layout, then Page Elements and click Add a Gadget. Simply choose the HTML/JavaScript gadget and paste the code from MyBlogLog into the Content box and Save. That’s it! No scripts, downloads, or plugins required.

6. Want to add other elements to your Blog? Take a look through the Add a Gadget options as there are plenty from which to choose. You can add Link Lists, Blogrolls, Pictures, RSS feeds, Adsense, HTML/JavaScript (for MyBlogLog, Google Reader, and others), etc. The options are practically endless. Once the item is on your Dashboard you can reposition it with ease, as all the elements on your Dashboard move by way of “Click and Drag.” Below is an example what my Dashboard looks like on a test site (click to see a larger version of the image). The entire page layout is there for you to re-arrange at ease, and allow you to keep the overall site structure in mind.

7. Now that you have your Blog up and running with all the gadgets you could possibly want, you may find yourself bored with your current layout. After all, change can be fun. One quick and easy way to spice up your site is to change your template. One of my favorite resources for Blogger templates is Their templates look good and work as expected. You can also take a look at or or simply search on Google for more Blogger Templates. There are hundreds of free designs to choose from, you just need to go out and find them. You can upload the template directly to your site or create a test blog hidden from everyone but you so you can play around with templates and changes without worries until you know exactly which design you want to use.

8. You can of course do all of your writing directly in Blogger, but you can also use software that may make the job a little easier. Windows Live Writer is what I prefer, and it’s such a fantastic tool, I can’t believe it’s free. The best feature of this software is being able to edit images (add borders, drop shadows, etc.) as you go – no need to switch to a different software application. Windows Live Writer will also upload the pictures along with the post, so all in all, it’s a very handy tool.

9. Automatic Software Updates! This could be a negative depending on your philosophy, but I see it as a positive. Blogger makes updates seamless so you don’t have worry about staying on top of patches and updates.

10. The Blogger community. There are MANY Blogger sites out there, but there are two that stand above the rest. Blogger Buster and Tips for New Bloggers will keep you busy tweaking your site as you continue to learn all the cool and wonderful things you can do with Blogger. These sites are definite “must bookmark/subscribe”. I wish I could highlight all the wonderful things these two sites provide, but there is just too much there and not enough time.

So there you have it. 10 Things You May Not Know About Blogger – in a nutshell.

This Week in Review – Edition #2

Some news from the Home Front! This week Sharon’s Report Techafina went through yet another design overhaul. What can I say, I’m indecisive! If you read site updates from your RSS Reader and haven’t been to the site in a while, this is a good time to check it out. Feel free to leave comments about the changes. And, since I’m STILL not sure if I like the design, if you do, or don’t, I’d love to hear your thoughts!

In addition to the site redesign, I have now added a Contact Form page so I can be reached easily without sharing my email address with spammers. As a side-note, the workaround with Blogger to have extra “pages” on your blog is to simply create a new post, and link to that post. I used that method to create the contact form “page”, but back dated it to the end of July so it wouldn’t appear as a recent post. Unfortunately, FeedBurner still published it as a feed as though it were a new post (so that should help clear up any confusion you may have about receiving that odd feed)! Also, it’s a Blogger tip for you if you just happen to be wondering how to do that, now you know how!

The portion above is now slightly irrelevant, as I switched from Blogger to WordPress. Why? I’ll explain that in another post… (8/31/08)

Now, without further ado, here are some great things moving and shaking around the ‘Net this week…

1. Cool Blog Find! TeleRead: Bring the E-Books Home, is a site focused on ebooks of course, in all it’s related context. If you read anything in digital format you’ll want to check out this site.

2.  As I admitted earlier this week, I am a proud owner of a new Kindle. With that in mind, I had to throw in a link for fellow Kindle owners! Check it out: Kindlerama, complete with Kindle Tips & Tricks, accessory reviews, and “how to” information.

3. Like random cool geeky blogs? Pixel Bits is definitely an “interesting” find. I may add this to my Blog Roll (if I ever set one up).

4. Haven’t had enough Twitter yet? Want to find more interesting folks to follow near you, or with similar interests? TwitterPacks is a Wiki just for that purpose. I found several cool people to add to my Twitter Network and even added myself to the Dallas section. Wiki’s can be quite handy…

5. This week my focus seems to have been on Security, so in keeping with that theme, here is a Beginner’s Guide to OpenID Phishing. Like the site owners, I do not in ANY WAY condone phishing in any form, but it is important to know that this exists and be informed.

6. And, You’re No One if You’re Not on Twitter, because

“…if you haven’t been bookmarked, retweeted and blogged, you might as well not have existed…”  This is a seriously catchy tune by Ben Walker.

That takes care of this week, I hope you all have had a wonderful Holiday weekend!

OpenID: Benefits and Risks

By David Rosen

Last week we defined OpenID. This week we’re going to talk about why you might choose (or not choose) to use OpenID.

As promised, let’s discuss the Benefits…

Simplified Login
Single Username and Password for multiple sites. You only have to authenticate to OpenID one time per session. Once you are logged into your OpenID account, OpenID can automatically log you in to the other websites that you visit.

Unique Web Identity
No more wondering if the post by “CowboysFan” on one website is by the same person as “CowboysFan” on another website. OpenID’s are unique everywhere.

Information Management
OpenID servers have features such as “information profiles”, that let you control how much personal information each particular site has access to. Some sites might only get your name and email address, while you may allow others to automatically get your full contact information.

Anyone can run their own OpenID server. You’re not tied down to any particular company or bound to a proprietary system.

The websites which accept OpenID never get your log in information. That information is only shared with your OpenID server. There is also the benefit of user customizable security level. You can define your own login method (or methods) for OpenID:

  • Username and Password – just like normal
  • Getting an SMS message that requires you to reply
  • Choosing a sequence of pictures
  • Receiving a phone call on your cell and pressing a button to allow the authentication
  • Finger print scanner, USB Key, RSA tokens, etc…

As you can see, OpenID can make your online experience smoother and easier. It also provides social benefits, such as a unique identifier. Your online identity already spans multiple websites but it no longer has to span multiple names. You can be “you” everywhere. The security benefits of OpenID are nice, too. One of main reasons I use multiple passwords is that I don’t want to use the same password for my Online Bank that I use for posting comments on a blog. If the blog was setup incorrectly, then my password could be stolen and used maliciously. With OpenID, neither the blog nor the bank would ever see my password to begin with.

Speaking of security, that brings us to the Risks:

All Your Eggs in One Basket?
If your OpenID account is compromised, you can say “Bye, bye Humpty Dumpty” because everything tied to it is now gone.

Unique Web Identity
Overheard in the breakroom, “Hey look! I just found Bob’s OpenID posted on a personal ad at!”

Multiple points of failure: If your OpenID server has an outage, you can no longer log in to all the sites that use it.

Phishing attacks now are a primary threat.

This list might be small, but the items on it are big. Some of the obvious solutions to the issues here break the features presented above. Don’t like having all of your eggs in one basket? Just create multiple OpenID accounts. It’s not the end of the world, but it does start to erode on a major selling point, the convenience factor. The most negative point here is Security. OpenID is a ripe target for phishers. “Phishing” is the process of attempting to trick users into just over their usernames and passwords, or other sensitive information. How? Come back next week for final segment of OpenID Explained, discussing the phishing risk in greater detail.

Read Any Good eBooks Lately?

I did it. I finally bit the bullet and bought an Amazon Kindle. The Kindle caught my interest when rumors first broke about it’s upcoming debut, and now that it has been available for several months I decided it was time to take another look.

If you are not familiar with the Kindle, it is an electronic reading device, but it has a special e-ink screen that make your eyes feel like they are reading from paper, not a lit screen. My BlackBerry makes a decent reading platform, but not a GREAT one. I enjoy reading in short spurts on it (as mentioned previously, I am seriously addicted to Viigo) – but the backlit screen is just not comfortable for extended periods of reading.

Moving toward a digital library is becoming easier as time goes by, as every day more and more books are being released in the digital format. Most Classics are free, and there is a large selection of ebooks available in a variety of formats. Although Kindle Books (purchased through Amazon) are tied to a single Amazon account, more than one device can be managed by an account to allow content sharing. This isn’t a perfect situation, as sharing only applies to books, not subscriptions such as blogs, magazines, or newspapers – and “Amazon Recommendations” will no longer be geared toward YOUR reading preferences. The slight problems aside, I am absolutely adoring my new Kindle, and I can say in earnest it really is as cool as everyone says it is. Reading on the Kindle feels equivalent to reading newsprint but ink smudges are a thing of the past.
If you are looking to add ebooks to your digital collection, here are a few links to get you started:

Happy Reading!
Image credits: Kindle by John Pastor, Books by Manu M

Welcome, and Thank You!

I want to take a moment and point out that last night’s What is OpenID article was NOT written by me. If you read it quickly you may not have noticed that the name David Rosen is the name in the byline! Yes, I managed to convince my husband to be on occasional guest author here on Sharon’s Report Techafina, so please give him a hardy welcome and show your support! He has a follow up post in the works, and another article or two up his sleeve. Welcome Dave, and thank you for highlighting OpenID for us and kicking off some well needed focus to web security.

What is OpenID?

By David Rosen

If you have signed up for a new service recently, you may have noticed an option to use something called OpenID. You may have noticed that it is an option when you log in to Plaxo, LiveJournal, or WordPress. You may have heard that AOL and Yahoo are now OpenID providers. Many OpenID sites extol the virtues and benefits that come with it… “Only password to remember!” “Decentralized!” “Open Source!” “Establish your identity anywhere and everywhere!” But they all tend to explain only the benefits of OpenID rather than what it actually IS. Today we’re going to answer the question, What is OpenID?

First a quick digression: What is authentication? Normally, to login to your account at a website, you first identify yourself with a username, and then you prove that you own it by providing a password. This process is “Authentication.” It doesn’t have anything to with your Plaxo contacts, your Blogger profile, or your Flickr pictures. Authentication is claiming that an identity is yours (username) and proving it (password).

There are many of ways to authenticate to a system besides usernames and passwords, you use some of them already. Need an example? Think about getting money from an ATM. First you claim who you are by providing your ATM Card. Next you prove it by entering the PIN (a 4-digit password).

There also methods of authentication that don’t directly require passwords at all. In fact this occurs almost every time you sign up for a new account online. Say you’re signing up for an account at… At some point you claim that an email address (an identity) is yours, by entering it into the sign up form, and then you have to prove that it is indeed yours. How do you do that? By going to your email, logging in and receiving an email with a secret code to enter or a secret link to click. You have now authenticated your email identity without ever having to hand over your Gmail password to Plaxo. NOTE: Your email username and password were still required indirectly. You had to enter them to check your email, but your email password was never entered at

Now back to the real question: What is OpenID?
OpenID is just another method of authenticating yourself – one that is similar to the email registration example above, but more automated. With OpenID your identity is a Website rather than an Email address or a Username. You first claim that you own a website (an identity), and then you have to prove it. But, just like in the email registration example, you never directly hand over the username and password to your OpenID website. So how do you prove you own it? Same method as in the email example, you go to your OpenID and log in. But in this more automated version, the service you to want to use ( for example), automatically redirects you to your OpenID website. Then, instead of having to click a secret link or type in a secret code to prove you logged in, the OpenID website itself simply tells the requesting service (Plaxo) whether you passed or failed authentication.

Need a concrete example? Here is a simplified version of what happens when I want to log in to my account:

  1. I go to and choose the option to Sign in with OpenID
  2. I type in “” and hit enter
  3. Plaxo sends me to my OpenId site ( to login
  4. I login at
  5. send me back to, and tells whether I passed or failed authentication

Still wondering what the benefit is here? It’s two-fold: First, I can use to log in everywhere that OpenID is accepted. No more having to remember 8 usernames and 6 passwords. Second, these websites that I log into never touch or even see my password. I don’t have to worry that a flaw in one website’s security will compromise my password (the same password I use to log in everywhere, in this case).
Pure bliss, right? Maybe, maybe not. Come back next week and we’ll touch on some of the benefits and some of the major flaws.

Image Credit: Photo by Konrad Mostert

Twitter: See the Other Side of the Conversation

Twitter previously had a function that allowed you to click on the profile of someone and see their replies. I’m not sure when that feature disappeared, but it leaves people at a loss when seeing only part of the conversation come through to their stream. That happens if they are following you, but not your friend who you just replied back to on Twitter.

The Replies tab was useful to clue you in on the other half of the conversation, if you were curious enough to take a look. Earlier today, I came across @Pistachio and noticed that she is using a GREAT work-around for Twitter’s missing feature! In her Bio, she has added a link to her replies on That’s fantastic! I immediately copied her methods and did the same for myself, and at the same time noticed a new search feature in action. The ability to use a “threaded view” was added to Twitter Search a few weeks ago but I didn’t pay too much attention to it at the time.

To see the beauty of the threaded views, take a look at this example. I do not know @danhounshell, and do not receive his Tweets. Therefore, I didn’t know what @JamesShaw was specifically replying to (aside from the fact that his Tweet makes sense, but let’s pretend it didn’t for the moment). Out of five Tweets, the only one I saw was the one that had my name (@SharnAtlanta) in it. Take a look at the screenshot below.

Now, when we click the “Show Conversation” link below the Tweet, we see the entire threaded conversation! I can now see:

And voila! You can now see BOTH sides of the conversation! I hope this features becomes a regular part of! In the meantime, be sure to bookmark Twitter Search for future reference and insight to those one-sided conversations.

Social Media, as Spoken Word

Thanks to this Tweet by LouisGray on Twitter this morning:

I was notified of a fantastic rendition of Social Media – as Spoken Word by Rasheen Porter. Rasheen, let me just say, you blew me away with this video.

For anyone not in loop with regard to Social Media, here are all the items Rasheen mentions (within ONE minute!) with the respective links.

Michael Arrington (of Tech Crunch):
Google Reader:
12 Seconds:

What, you haven’t seen this video yet? Take a look: