[Opensim-dev] OpenID

Diva Canto diva at metaverseink.com
Tue Mar 3 01:32:39 UTC 2009 

 From where I stand, it seems like a complete irresponsibility to deploy 
this out there for real, with a 2.0 tag, without first understanding 
if/how people detect phishing in this particular context. There have 
been enough studies in the past about how normal people handle security 
(or not) in practice, and the fallacies of designing systems assuming 
that people choose security over convenience.

But hey -- I have no interest in the success or failure of the 
corporations that are pushing for this.
I'll just stay here on my academic Ivory tower watching the phishing 
artists unwrap this wonderful present that is falling on their laps...
http://marcoslot.net/apps/openid/


And that's my last email about OpenID; case closed afaic, I'm too old 
and too cranky for these Web 2.0 experiments. I'd rather continue trying 
to solve the problem for real :-)

Crista

Aldon Hynes wrote:
> It is worth noting that Microsoft is now adopting OpenID as well.  A while
> ago it went into testing,  The idea is that you can use Microsoft Live as
> your OpenID provider.  I've tested it and it works fairly well.  In fact, I
> think it works better than the Google implementation.  However, I still
> prefer XRI based OpenID
>
> =aldon.hynes
> @ahynes1
>
> -----Original Message-----
> From: opensim-dev-bounces at lists.berlios.de
> [mailto:opensim-dev-bounces at lists.berlios.de]On Behalf Of Ralf Haifisch
> Sent: Monday, March 02, 2009 6:39 PM
> To: opensim-dev at lists.berlios.de
> Subject: Re: [Opensim-dev] OpenID
>
>
> Crista,
>
> this is a upcomming standard and common sense. If I do an audit based in ISO
> 27.001, this is a perfect thing and would get some applause if implementet,
> generally speaking.
>
>
> It is based on the established ideas from LPAD+Kerberos combining systems,
> that use this triangle of user/workstation - auth-provider and
> auth-subscriber in principle , as well.
>
>
> Microsoft did try to run this with .Net Passport (uhm... maybe they even had
> a name before that) and had a set of criteria you have to fulfill before
> joining the system.  People did not like this "closed source big brother -
> alike" system.
>
>
> openID and SAML are major topics for those devs, that are into security
> systems right now. Claim based systems and rights management are often based
> on this.
>
>
> It is all about a "secure stack".
>
> - hopefully, you did write your operating system - why could it be trusted
> otherwise ?
> - what about the keyboard ?  easy going to implement what I need
> - is there a "nuble" on your monitors video cord ? is this for antiference
> reasons... hmmm..
> - you print out strategic papers or sources on the big laserpinter in the
> floor (sure, only you in the building)..  I did fetch interesting stuff
> unencrypted from these devices
> - you had this all new USB harddisc for backups that came with some new
> drivers ?
>
> Unless the whole stack from hardware to service is secure and trusts are
> build and verified against each other.... what you see is the best that is
> realistic achievable:
>
>
> --> warn the user, if something is maybe wrong.
>
>
> Its you, chooses the opened provider (I guess verisign is somewhat secure
> for me)
>
> It´s you who uses a service - and would have done even without opened.
>
> Its you who gets a warning about possible fraud, you would not have been
> getting without opened.
>
>
> Instead of opened the usual user has 2000 passwords and requests new
> passwords via clear text email over the web, regularly.
>
>
> So - in total a regular user gets more security.  That's the basic idea.
>
>
> In some years we will use at least 2-factor authentification.  E.g. the
> Netherlands did start giving out passports with a digital ID (certificate).
> Cheap reader will spread.
>
>
> There is a common sense that, "exo-technical means" will better serve
> security needs in future. The more business driven standards like ISO 27.001
> and 38.500 repect this. Technical means will fulfill a task assingned
> exo-technical.
>
>
> Let say - this is a new and upcoming system.
> Its not worse than what we have.
> It has many option got get better on a standard architecture.
>
>
> It´s a little bit like the 3D web story...
>
>
> Cheers,
> Ralf
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 02 Mar 2009 14:44:46 -0800
> From: Diva Canto <diva at metaverseink.com>
> Subject: Re: [Opensim-dev] OpenID
> To: opensim-dev at lists.berlios.de
> Message-ID: <49AC615E.5010904 at metaverseink.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> OMG!
> Sorry for insisting on this, but I tend to get obsessive when I'm trying
> to figure things out :-)
> I just tried login to some random Brazilian site using my OpenID-ed
> Yahoo account. Indeed, it... works... i guess.
> I seem to have been redirected to a yahoo openid login page, which,
> after I entered my password, proceeded to warn me that "Warning: this
> web site has not confirmed its identity with Yahoo! and might be
> fraudulent....".
>
> I have no idea/guarantees that this site that the Brazilian site
> redirected me that looks like Yahoo, where I entered my password, and
> that is warning me of danger, is, indeed, a legitimate Yahoo site. It
> might not be. And I have no idea what that potentially fraudulent
> Brazilian site might do with the info it gets from Yahoo (assuming this
> is Yahoo and not a phishing scam).
>
> Sorry, this defies all common sense...
>
> I can see the *mechanism* of OpenID working among a group of
> organizations that trust each other by exo-technical means (read
> lawyers). But this mechanism in decentralized, world-wide open systems?!
> That's insane!
>
> Crista
>
> Diva Canto wrote:
>   
>> The more I read about OpenID the more concerns I have that it's unsafe
>> -- not just for OpenSim but in general. It seems that OpenID is a
>> wonderful opportunity for phishing sites to get access to people's
>> passwords directly.
>>
>> The flaw is that it assumes that the initial site is trustworthy. That's
>> a huge assumption! Try to use your OSGrid OpenID-ed account in a future
>> version of DNCH... it will direct you to a page that will look like
>> OSGrid's login page, and then it will steal your password as you type it.
>>
>> Is this serious?! Maybe I'm missing something fundamental...
>>
>> <puzzled>
>> Crista
>>
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
>>
>>     
>
>
>
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20090302/fd8f5b47/attachment-0001.html>

More information about the Opensim-dev mailing list