[Opensim-dev] OpenID
Aldon Hynes
Aldon.Hynes at Orient-Lodge.com
Tue Mar 3 13:34:49 UTC 2009
Can someone point me to an authentication system that isn't susceptible to
being phished?
Aldon
-----Original Message-----
From: opensim-dev-bounces at lists.berlios.de
[mailto:opensim-dev-bounces at lists.berlios.de]On Behalf Of Mike Mazur
Sent: Tuesday, March 03, 2009 2:53 AM
To: opensim-dev at lists.berlios.de
Cc: ralf at ralf-haifisch.biz
Subject: Re: [Opensim-dev] OpenID
Hi,
On Tue, 3 Mar 2009 08:40:03 +0100
"Ralf Haifisch" <ralf at ralf-haifisch.biz> wrote:
> beiing pished - you are talking about "getting the users token" ?
The expected scenario is this:
1. Log into travel.com using OpenID
2. travel.com redirects you to myopenid.com for you to enter your pwd
3. You enter your valid OpenID password
4. myopenid.com redirects you back to travel.com, you are now authed
5. You book your ticket safely
The phishing scenario is this:
1. Log into travol.com using OpenID
2. travol.com redirects you to BADopenid.com for you to enter your pwd.
BADopenid.com looks just like myopenid.com, you don't notice the
different URL and the lack of SSL session
3. You enter your valid OpenID password
4. Now the bad guys have access to your OpenID account, and all the
services you use OpenID to authenticate with
Mike
_______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev
More information about the Opensim-dev
mailing list