[Opensim-dev] OpenID

[Diva Canto]

OMG!
Sorry for insisting on this, but I tend to get obsessive when I'm trying 
to figure things out :-)
I just tried login to some random Brazilian site using my OpenID-ed 
Yahoo account. Indeed, it... works... i guess.
I seem to have been redirected to a yahoo openid login page, which, 
after I entered my password, proceeded to warn me that "Warning: this 
web site has not confirmed its identity with Yahoo! and might be 
fraudulent....".

I have no idea/guarantees that this site that the Brazilian site 
redirected me that looks like Yahoo, where I entered my password, and 
that is warning me of danger, is, indeed, a legitimate Yahoo site. It 
might not be. And I have no idea what that potentially fraudulent 
Brazilian site might do with the info it gets from Yahoo (assuming this 
is Yahoo and not a phishing scam).

Sorry, this defies all common sense...

I can see the *mechanism* of OpenID working among a group of 
organizations that trust each other by exo-technical means (read 
lawyers). But this mechanism in decentralized, world-wide open systems?! 
That's insane!

Crista

Diva Canto wrote:
> The more I read about OpenID the more concerns I have that it's unsafe 
> -- not just for OpenSim but in general. It seems that OpenID is a 
> wonderful opportunity for phishing sites to get access to people's 
> passwords directly.
>
> The flaw is that it assumes that the initial site is trustworthy. That's 
> a huge assumption! Try to use your OSGrid OpenID-ed account in a future 
> version of DNCH... it will direct you to a page that will look like 
> OSGrid's login page, and then it will steal your password as you type it.
>
> Is this serious?! Maybe I'm missing something fundamental...
>
> <puzzled>
> Crista
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>