[Opensim-dev] OpenID

Hurliman, John john.hurliman at intel.com
Mon Mar 2 23:09:25 UTC 2009 

Do you make a habit of sending your credentials to websites without checking the hostname and ignoring invalid SSL certificate warnings? That will create a problem.

John

>-----Original Message-----
>From: opensim-dev-bounces at lists.berlios.de [mailto:opensim-dev-
>bounces at lists.berlios.de] On Behalf Of Diva Canto
>Sent: Monday, March 02, 2009 2:45 PM
>To: opensim-dev at lists.berlios.de
>Subject: Re: [Opensim-dev] OpenID
>
>OMG!
>Sorry for insisting on this, but I tend to get obsessive when I'm trying
>to figure things out :-)
>I just tried login to some random Brazilian site using my OpenID-ed
>Yahoo account. Indeed, it... works... i guess.
>I seem to have been redirected to a yahoo openid login page, which,
>after I entered my password, proceeded to warn me that "Warning: this
>web site has not confirmed its identity with Yahoo! and might be
>fraudulent....".
>
>I have no idea/guarantees that this site that the Brazilian site
>redirected me that looks like Yahoo, where I entered my password, and
>that is warning me of danger, is, indeed, a legitimate Yahoo site. It
>might not be. And I have no idea what that potentially fraudulent
>Brazilian site might do with the info it gets from Yahoo (assuming this
>is Yahoo and not a phishing scam).
>
>Sorry, this defies all common sense...
>
>I can see the *mechanism* of OpenID working among a group of
>organizations that trust each other by exo-technical means (read
>lawyers). But this mechanism in decentralized, world-wide open systems?!
>That's insane!
>
>Crista
>
>Diva Canto wrote:
>> The more I read about OpenID the more concerns I have that it's unsafe
>> -- not just for OpenSim but in general. It seems that OpenID is a
>> wonderful opportunity for phishing sites to get access to people's
>> passwords directly.
>>
>> The flaw is that it assumes that the initial site is trustworthy.
>That's
>> a huge assumption! Try to use your OSGrid OpenID-ed account in a
>future
>> version of DNCH... it will direct you to a page that will look like
>> OSGrid's login page, and then it will steal your password as you type
>it.
>>
>> Is this serious?! Maybe I'm missing something fundamental...
>>
>> <puzzled>
>> Crista
>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
>>
>
>_______________________________________________
>Opensim-dev mailing list
>Opensim-dev at lists.berlios.de
>https://lists.berlios.de/mailman/listinfo/opensim-dev
>

More information about the Opensim-dev mailing list