[Additions in red in response to Bavo’s comments.]
Should have guessed that Phriend Phishing was first going to happen to somebody famous.
Now, how could that have been prevented?
What if:
- Twitter adopted OpenID as the only way of authenticating.
- Twitter showed the authenticated OpenID identifier instead of a (possibly made up) user handle on all tweets.
- Kanye West would have used his official website URL as his OpenID.
- Ergo, everybody could follow the OpenID to determine whether any phriend phishing is going on or not if it is clear to the user that the chosen OpenID URL represented the official site of Kanye West.
I admit that scenario is not entirely viable yet. For example, users are not familiar and comfortable enough yet with OpenID that a major-volume site like Twitter could switch to OpenID-only. But it’s close, and that’s the kind of adoption barriers that we need to work on over the next 12-18 months in the OpenID community.
Bavo points that that by itself, the OpenID identifier is no more authoritative than any arbitrarily chosen user name on Twitter. I agree. However, by establishing the link between Kayne’s website and the Twitter account via OpenID, it would be cryptographically proven that the website owner owns the particular Twitter account, which reduces the attack surface for Phriend Phishing by half. That is not too shabby and unobtainable by any other means that I’m aware of that works on the web. That was intended to be my point with this post. In case of famous people with fans, like here, the types of people who will follow their idol on Twitter are very very likely to know their authoritative website, so this would work very well.
For completeness: this scenario also requires trust that the relying party (here: Twitter) isn’t hostile, has implemented OpenID correctly, and communicated clearly in their user interface that the OpenID has been verified. That would be a reasonable assumption in case of Twitter. Now we just need them to implement OpenID ;-)