The success of the recent phishing attacks at Salesforce.com should trigger a fresh look at the risks of collecting authentication credentials (especially user names and passwords) on public web forms. The public web forms are the fundamental point of attack for phishers and until they are eliminated, successful phishing attacks will continue to occur and continue to cause significant business damage to companies like Salesforce.com and their customers.
The public web form used for authentication is at the center of most phishing attacks, here is a common sequence -
- a phisher creates a copy of the real web form and puts it out on the public internet
- sends a disguised link to a larger group of users
- tricks a user into providing their real credentials to the fake form
- takes the real credentials to real public web form and get access to the application
Suggested remedies like training users and studying audit logs do not address the fundamental situation that makes phishing possible.
Removing the public web form from the process of accessing applications such as Salesforce.com would greatly lower the risk of getting fished. Adopting a federated SSO model for accessing Salesforce.com would allow for the elimination of public web forms.
In the federated SSO model, all credential collection happens internally. Users are authenticated within their own employers security domains and then a secure federation assertion is passed to the external application to authenticate the user at the external application.
Salesforce.com and many other SaaS /On Demand vendors currently support SSO - they do so primarily to meet customer requirements for convenience. The recent round of attacks should help them see that federated SSO is a very useful tool in lowering the risk of getting phished. Yes, there are some use case details to be ironed out such as support for deep linking - but the fundamental benefit of eliminating the risk associated with collecting credentials on a public web form should be enough to drive adoption of federated SSO in the SaaS/On Demand community.
Customers of SaaS applications should recognize the basic risks associated with having their employees entering user names and passwords on public web forms and demand a different model.
My guess is that in a couple of years we will look back on the practice of users inputting user names and passwords into public web forms as an arcane old style web oddity, similar to the way we now look at the blink tag.
Those days were