openid / connect / issues / #596 - Registration - Security consideration on Logo needs to be written

Former user Account Deleted

A rogue RP, such as Aolicious, might show the logo for Aol, which it's trying to impersonate. An IdP needs to take steps to mitigate this phishing risk, since the logo could confuse users into thinking they're logging in to Aol.

Displaying the domain of the callback URL is one option. An IdP could also warn if the domain/site of the logo doesn't match the domain/site of the callback URL. An IdP can also make warnings against untrusted RPs in all cases, especially if they're dynamically registered, have not been trusted by any users at the IdP before, and want to use the logo feature.

2012-06-28T14:43:24+00:00

Comments (3)

Michael Jones
- assigned issue to
  
  Nat Sakimura
- changed status to open
- 2012-05-21T23:54:53+00:00
Former user Account Deleted
A rogue RP, such as Aolicious, might show the logo for Aol, which it's trying to impersonate. An IdP needs to take steps to mitigate this phishing risk, since the logo could confuse users into thinking they're logging in to Aol.

Displaying the domain of the callback URL is one option. An IdP could also warn if the domain/site of the logo doesn't match the domain/site of the callback URL. An IdP can also make warnings against untrusted RPs in all cases, especially if they're dynamically registered, have not been trusted by any users at the IdP before, and want to use the logo feature.
- 2012-06-28T14:43:24+00:00
Nat Sakimura reporter
- changed status to resolved
Fixed ~~#596~~. Security consideration for logos.

→ 0f7f5b4ed90d
- 2012-09-10T06:58:03+00:00
Log in to comment