Do you make a habit of sending your credentials to websites without checking the hostname and ignoring invalid SSL certificate warnings? That will create a problem.
John >-----Original Message----- >From: opensim-dev-boun...@lists.berlios.de [mailto:opensim-dev- >boun...@lists.berlios.de] On Behalf Of Diva Canto >Sent: Monday, March 02, 2009 2:45 PM >To: opensim-dev@lists.berlios.de >Subject: Re: [Opensim-dev] OpenID > >OMG! >Sorry for insisting on this, but I tend to get obsessive when I'm trying >to figure things out :-) >I just tried login to some random Brazilian site using my OpenID-ed >Yahoo account. Indeed, it... works... i guess. >I seem to have been redirected to a yahoo openid login page, which, >after I entered my password, proceeded to warn me that "Warning: this >web site has not confirmed its identity with Yahoo! and might be >fraudulent....". > >I have no idea/guarantees that this site that the Brazilian site >redirected me that looks like Yahoo, where I entered my password, and >that is warning me of danger, is, indeed, a legitimate Yahoo site. It >might not be. And I have no idea what that potentially fraudulent >Brazilian site might do with the info it gets from Yahoo (assuming this >is Yahoo and not a phishing scam). > >Sorry, this defies all common sense... > >I can see the *mechanism* of OpenID working among a group of >organizations that trust each other by exo-technical means (read >lawyers). But this mechanism in decentralized, world-wide open systems?! >That's insane! > >Crista > >Diva Canto wrote: >> The more I read about OpenID the more concerns I have that it's unsafe >> -- not just for OpenSim but in general. It seems that OpenID is a >> wonderful opportunity for phishing sites to get access to people's >> passwords directly. >> >> The flaw is that it assumes that the initial site is trustworthy. >That's >> a huge assumption! Try to use your OSGrid OpenID-ed account in a >future >> version of DNCH... it will direct you to a page that will look like >> OSGrid's login page, and then it will steal your password as you type >it. >> >> Is this serious?! Maybe I'm missing something fundamental... >> >> <puzzled> >> Crista >> >> _______________________________________________ >> Opensim-dev mailing list >> Opensim-dev@lists.berlios.de >> https://lists.berlios.de/mailman/listinfo/opensim-dev >> >> > >_______________________________________________ >Opensim-dev mailing list >Opensim-dev@lists.berlios.de >https://lists.berlios.de/mailman/listinfo/opensim-dev > _______________________________________________ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
