[Opensim-dev] OpenID

Stefan Andersson stefan at tribalmedia.se
Tue Mar 3 10:59:32 UTC 2009 

Diva,

 

while I know you've made your last post on the point, I just wanted to tell you I'm in 100% agreement. I had heard talk about the weakness of openId before, but never really looked into it.

 

This just amazes me.

 

Technicians really believe that we won't see forms posting to malicious pop-ups that has removed and/or substituted all browser UI? Counting on the end-user to know exactly what experience to expect, what icons to click to secure ceritificates?

 

If this is really how openId is supposed to work, if you're really supposed to be _told_ where and how to go to authenticate by _the_very_party_ you're trying to authenticate against...

 

Amazing.

 

Now, I won't comment further either. I believe it's more important to get ANY security scheme in place than to get the RIGHT one in place.

 

Let's just make sure it's pluggable.


Best regards,
Stefan Andersson
Tribal Media AB



 
> Date: Tue, 3 Mar 2009 16:53:08 +0900
> From: mmazur at gmail.com
> To: opensim-dev at lists.berlios.de
> CC: ralf at ralf-haifisch.biz
> Subject: Re: [Opensim-dev] OpenID
> 
> Hi,
> 
> On Tue, 3 Mar 2009 08:40:03 +0100
> "Ralf Haifisch" <ralf at ralf-haifisch.biz> wrote:
> 
> > beiing pished - you are talking about "getting the users token" ?
> 
> The expected scenario is this:
> 
> 1. Log into travel.com using OpenID
> 2. travel.com redirects you to myopenid.com for you to enter your pwd
> 3. You enter your valid OpenID password
> 4. myopenid.com redirects you back to travel.com, you are now authed
> 5. You book your ticket safely
> 
> The phishing scenario is this:
> 
> 1. Log into travol.com using OpenID
> 2. travol.com redirects you to BADopenid.com for you to enter your pwd.
> BADopenid.com looks just like myopenid.com, you don't notice the
> different URL and the lack of SSL session
> 3. You enter your valid OpenID password
> 4. Now the bad guys have access to your OpenID account, and all the
> services you use OpenID to authenticate with
> 
> Mike
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20090303/5e0c0bd1/attachment-0001.html>

More information about the Opensim-dev mailing list