[Opensim-dev] OpenID
Diva Canto
diva at metaverseink.com
Mon Mar 2 22:44:46 UTC 2009
OMG!
Sorry for insisting on this, but I tend to get obsessive when I'm trying
to figure things out :-)
I just tried login to some random Brazilian site using my OpenID-ed
Yahoo account. Indeed, it... works... i guess.
I seem to have been redirected to a yahoo openid login page, which,
after I entered my password, proceeded to warn me that "Warning: this
web site has not confirmed its identity with Yahoo! and might be
fraudulent....".
I have no idea/guarantees that this site that the Brazilian site
redirected me that looks like Yahoo, where I entered my password, and
that is warning me of danger, is, indeed, a legitimate Yahoo site. It
might not be. And I have no idea what that potentially fraudulent
Brazilian site might do with the info it gets from Yahoo (assuming this
is Yahoo and not a phishing scam).
Sorry, this defies all common sense...
I can see the *mechanism* of OpenID working among a group of
organizations that trust each other by exo-technical means (read
lawyers). But this mechanism in decentralized, world-wide open systems?!
That's insane!
Crista
Diva Canto wrote:
> The more I read about OpenID the more concerns I have that it's unsafe
> -- not just for OpenSim but in general. It seems that OpenID is a
> wonderful opportunity for phishing sites to get access to people's
> passwords directly.
>
> The flaw is that it assumes that the initial site is trustworthy. That's
> a huge assumption! Try to use your OSGrid OpenID-ed account in a future
> version of DNCH... it will direct you to a page that will look like
> OSGrid's login page, and then it will steal your password as you type it.
>
> Is this serious?! Maybe I'm missing something fundamental...
>
> <puzzled>
> Crista
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>
More information about the Opensim-dev
mailing list