[Opensim-dev] OpenID
Mike Mazur
mmazur at gmail.com
Tue Mar 3 07:53:08 UTC 2009
Hi,
On Tue, 3 Mar 2009 08:40:03 +0100
"Ralf Haifisch" <ralf at ralf-haifisch.biz> wrote:
> beiing pished - you are talking about "getting the users token" ?
The expected scenario is this:
1. Log into travel.com using OpenID
2. travel.com redirects you to myopenid.com for you to enter your pwd
3. You enter your valid OpenID password
4. myopenid.com redirects you back to travel.com, you are now authed
5. You book your ticket safely
The phishing scenario is this:
1. Log into travol.com using OpenID
2. travol.com redirects you to BADopenid.com for you to enter your pwd.
BADopenid.com looks just like myopenid.com, you don't notice the
different URL and the lack of SSL session
3. You enter your valid OpenID password
4. Now the bad guys have access to your OpenID account, and all the
services you use OpenID to authenticate with
Mike
More information about the Opensim-dev
mailing list