[Opensim-dev] OpenID

Diva Canto diva at metaverseink.com
Mon Mar 2 23:57:48 UTC 2009 

There is nothing wrong with the mechanism and its roots. In fact, when I 
first read the spec I liked it a lot. But I hadn't used this until 2 
hours ago.

There is, potentially, a huge hole in the resulting system because it 
ignores how people interact with their computers. Did anyone make a 
serious study about how the normal people react to being phished on 
using OpenID? That sounds like a great project for one of my colleagues 
here at UCI...


Ralf Haifisch wrote:
> Crista,
>
> this is a upcomming standard and common sense. If I do an audit based in ISO
> 27.001, this is a perfect thing and would get some applause if implementet,
> generally speaking.
>
>
> It is based on the established ideas from LPAD+Kerberos combining systems,
> that use this triangle of user/workstation - auth-provider and
> auth-subscriber in principle , as well.
>
>
> Microsoft did try to run this with .Net Passport (uhm... maybe they even had
> a name before that) and had a set of criteria you have to fulfill before
> joining the system.  People did not like this "closed source big brother -
> alike" system.  
>
>
> openID and SAML are major topics for those devs, that are into security
> systems right now. Claim based systems and rights management are often based
> on this.
>
>
> It is all about a "secure stack".    
>
> - hopefully, you did write your operating system - why could it be trusted
> otherwise ?
> - what about the keyboard ?  easy going to implement what I need
> - is there a "nuble" on your monitors video cord ? is this for antiference
> reasons... hmmm..
> - you print out strategic papers or sources on the big laserpinter in the
> floor (sure, only you in the building)..  I did fetch interesting stuff
> unencrypted from these devices
> - you had this all new USB harddisc for backups that came with some new
> drivers ?  
>
> Unless the whole stack from hardware to service is secure and trusts are
> build and verified against each other.... what you see is the best that is
> realistic achievable:
>
>
> --> warn the user, if something is maybe wrong.
>
>
> Its you, chooses the opened provider (I guess verisign is somewhat secure
> for me)
>
> It´s you who uses a service - and would have done even without opened.
>
> Its you who gets a warning about possible fraud, you would not have been
> getting without opened.
>
>
> Instead of opened the usual user has 2000 passwords and requests new
> passwords via clear text email over the web, regularly.
>
>
> So - in total a regular user gets more security.  That's the basic idea.
>
>
> In some years we will use at least 2-factor authentification.  E.g. the
> Netherlands did start giving out passports with a digital ID (certificate).
> Cheap reader will spread.  
>
>
> There is a common sense that, "exo-technical means" will better serve
> security needs in future. The more business driven standards like ISO 27.001
> and 38.500 repect this. Technical means will fulfill a task assingned
> exo-technical.
>
>
> Let say - this is a new and upcoming system.   
> Its not worse than what we have.  
> It has many option got get better on a standard architecture.
>
>
> It´s a little bit like the 3D web story...
>
>
> Cheers,
> Ralf
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 02 Mar 2009 14:44:46 -0800
> From: Diva Canto <diva at metaverseink.com>
> Subject: Re: [Opensim-dev] OpenID
> To: opensim-dev at lists.berlios.de
> Message-ID: <49AC615E.5010904 at metaverseink.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> OMG!
> Sorry for insisting on this, but I tend to get obsessive when I'm trying 
> to figure things out :-)
> I just tried login to some random Brazilian site using my OpenID-ed 
> Yahoo account. Indeed, it... works... i guess.
> I seem to have been redirected to a yahoo openid login page, which, 
> after I entered my password, proceeded to warn me that "Warning: this 
> web site has not confirmed its identity with Yahoo! and might be 
> fraudulent....".
>
> I have no idea/guarantees that this site that the Brazilian site 
> redirected me that looks like Yahoo, where I entered my password, and 
> that is warning me of danger, is, indeed, a legitimate Yahoo site. It 
> might not be. And I have no idea what that potentially fraudulent 
> Brazilian site might do with the info it gets from Yahoo (assuming this 
> is Yahoo and not a phishing scam).
>
> Sorry, this defies all common sense...
>
> I can see the *mechanism* of OpenID working among a group of 
> organizations that trust each other by exo-technical means (read 
> lawyers). But this mechanism in decentralized, world-wide open systems?! 
> That's insane!
>
> Crista
>
> Diva Canto wrote:
>   
>> The more I read about OpenID the more concerns I have that it's unsafe 
>> -- not just for OpenSim but in general. It seems that OpenID is a 
>> wonderful opportunity for phishing sites to get access to people's 
>> passwords directly.
>>
>> The flaw is that it assumes that the initial site is trustworthy. That's 
>> a huge assumption! Try to use your OSGrid OpenID-ed account in a future 
>> version of DNCH... it will direct you to a page that will look like 
>> OSGrid's login page, and then it will steal your password as you type it.
>>
>> Is this serious?! Maybe I'm missing something fundamental...
>>
>> <puzzled>
>> Crista
>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
>>   
>>     
>
>
>
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20090302/64380dc5/attachment-0001.html>

More information about the Opensim-dev mailing list