LiveID Protection from Spoofers; A must-have feature request

Mon, 02 Feb 2009 00:53:44 Z

Since it's relatively easy for anyone to create a [Sign in] link on their web page and redirect you to a bogus authentication page has anyone in the LiveID team put any thought into how to protect against this?

For example, a user goes to a company site and mistypes the url... say company.co.uk instead of company.com. Well company.co.uk is a spoofing site that looks like company.com except that the sign-in page sends you to some ASPX page that visually looks like a Federated or LiveID page, but it's saving whatever the user types in there (user/pass) to a local txt file.

What is to prevent the ASPX page from transparently redirecting the user to the real site using a .js form post?

Can we get some kind of standard published from secure@microsoft.com that says "Hey enduser, look at the URL up top and make sure it says xxx.yyy.zzz, if not call your it security department" or some other validation...

One possible solution is to have the authenticating server respond with the cryptographically signed IP address of the requesting user and use this for validation.

-Chris

LiveID Protection from Spoofers; A must-have feature request

Mon, 02 Feb 2009 02:24:27 Z

Hi Chris -

Appropriate forum to discuss this issue would be Windows Live ID: Development forum.
however, few resource links are provided here to give you an idea on what is available from Windows Live ID team:

Windows Live ID and phising

Windows Live ID adopts extended validation SSL certificates

Please take my credentials, no really take them

First law of password hygiene

Microsoft partners with Top Social networks to put users at the center of their data

Hope this helps, more detailed information would be available in Windows Live ID forum.

This posting is provided "AS IS" with no warranties, and confers no rights.