[Opensim-dev] OpenID
Dr Scofield
DrScofield at xyzzyxyzzy.net
Thu Mar 19 07:19:32 UTC 2009
Mike Mazur wrote:
> Hi,
>
> On Tue, 3 Mar 2009 08:40:03 +0100
> "Ralf Haifisch" <ralf at ralf-haifisch.biz> wrote:
>
>> beiing pished - you are talking about "getting the users token" ?
>
> The expected scenario is this:
>
> 1. Log into travel.com using OpenID
> 2. travel.com redirects you to myopenid.com for you to enter your pwd
> 3. You enter your valid OpenID password
> 4. myopenid.com redirects you back to travel.com, you are now authed
> 5. You book your ticket safely
>
> The phishing scenario is this:
>
> 1. Log into travol.com using OpenID
> 2. travol.com redirects you to BADopenid.com for you to enter your pwd.
> BADopenid.com looks just like myopenid.com, you don't notice the
> different URL and the lack of SSL session
na, na, na. that's the script kiddie scenario. EVILopenid.com uses a certificate
--- if they can't get a valid one (though why wouldn't they), they'd generate
one each day that is just one day past it's validity...
> 3. You enter your valid OpenID password
> 4. Now the bad guys have access to your OpenID account, and all the
> services you use OpenID to authenticate with
>
> Mike
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
--
dr dirk husemann ---- virtual worlds research ---- ibm zurich research lab
SL: dr scofield ---- drscofield at xyzzyxyzzy.net ---- http://xyzzyxyzzy.net/
RL: hud at zurich.ibm.com - +41 44 724 8573 - http://www.zurich.ibm.com/~hud/
More information about the Opensim-dev
mailing list