Hi, On Tue, 3 Mar 2009 08:40:03 +0100 "Ralf Haifisch" <r...@ralf-haifisch.biz> wrote:
> beiing pished - you are talking about "getting the users token" ? The expected scenario is this: 1. Log into travel.com using OpenID 2. travel.com redirects you to myopenid.com for you to enter your pwd 3. You enter your valid OpenID password 4. myopenid.com redirects you back to travel.com, you are now authed 5. You book your ticket safely The phishing scenario is this: 1. Log into travol.com using OpenID 2. travol.com redirects you to BADopenid.com for you to enter your pwd. BADopenid.com looks just like myopenid.com, you don't notice the different URL and the lack of SSL session 3. You enter your valid OpenID password 4. Now the bad guys have access to your OpenID account, and all the services you use OpenID to authenticate with Mike _______________________________________________ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
