Hi Diva, On Mon, 02 Mar 2009 14:44:46 -0800 Diva Canto <d...@metaverseink.com> wrote:
> I just tried login to some random Brazilian site using my OpenID-ed > Yahoo account. Indeed, it... works... i guess. > I seem to have been redirected to a yahoo openid login page, which, > after I entered my password, proceeded to warn me that "Warning: this > web site has not confirmed its identity with Yahoo! and might be > fraudulent....". > > I have no idea/guarantees that this site that the Brazilian site > redirected me that looks like Yahoo, where I entered my password, and > that is warning me of danger, is, indeed, a legitimate Yahoo site. It > might not be. The Yahoo site you are redirected to should be using an SSL connection (https:// and the little padlock in the status bar). This is true for myopenid.com, and I would be surprised if it wasn't true for Yahoo's OpenID service as well. If this Yahoo site itself is fraudulent, it somehow must have gotten a valid SSL cert for yahoo.com. > And I have no idea what that potentially fraudulent > Brazilian site might do with the info it gets from Yahoo (assuming > this is Yahoo and not a phishing scam). The Brazilian website does not get your OpenID password, it only gets confirmation from Yahoo that you are who you claim you are. I think in OpenID 2.0 they also included a notion of attributes that you can share with OpenID consumers (the Brazilian site in this case), such as your name, email address, etc, but you manually approve those before they are shared. Standard disclaimer: I'm not a security expert either, and I'm not looking at the OpenID documentation as I write this either, so expect bugs in the explanation above. Hope that helps, Mike _______________________________________________ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
