Re: [Opensim-dev] OpenID
The problem with OpenID is not OpenID, it's people who don't understand what OpenID really does. OpenID is a protocol for federated (distributed) identity. Nothing more, nothing less. It makes no claims about security -- it *cannot*. If you are expecting OpenID to be a magic box for that answers all your authentication needs, you aren't reading very carefully. All OpenID says to you is "server foo.example.com come asserts this connection is joe.example.com". The meaning of that phrase is not, nor could ever, be defined by the protocol itself. It's up to *you* to decide what that statement means. Once you consider that a primary design goal was to not rely on a single trusted entity, you'll notice that the protocol is entirely orthogonal to trust. Trust is an extra ingredient you have to add on an site-by-site, or application-by-application basis. What you *can* however notice is that OpenID provides the *means* for establishing a network of trust using white lists. However it is *way* beyond the scope of the protocol to go as far as to tell the Internet at large *who* should be written down on those white lists. The mistake OpenID made was giving engineers too much credit for discovering this implication by itself. It should have been released with explicit disclaimer about phishing, and formalized some sort of notion of trust networks to keep the outrage at bay. Bottom line IMO: learn OpenID, use OpenID, build a *Trust Network* on OpenID that is site configurable by grid administrators -- like HG links are now. Cheers, On Wed, Mar 4, 2009 at 2:43 AM, Diva Canto wrote: > Sean Dague wrote: >> I guess the question is whether or not this is better or worse than >> requiring new user account registration for systems, which inevitably is >> people typing in the same passwords as they've used elsewhere. >> > I can't say I have the answer to that question, although I have a hunch > about it. All I can say is that it is extremely irresponsible on the > part of these corporations to deploy this scheme out there without > finding the answer to that question, given all the literature pointing > to how oblivious people are wrt security in practice. > >> Those are general statements on the tech. How it fits in the opensim >> space, I'll leave to others, because it may not be appropriate. But >> make sure that if you are going to hold up openid to such a high >> standard of social engineering, that you hold other methods to that as we= >> ll. >> > Let's put it this way: if I had the low standards and ethics that the > people who wrote the OpenID spec have I would say that the Hypergrid is > 1.0 and that the security problems "can be prevented in multiple ways" > and "are outside the scope of this document." Then I would charge > $5000/day to do consulting work with > the people who want to use the Hypergrid for added convenience, without > ever mentioning the security problems that it currently has. [That seems > to be the game with OpenID, as far as all I can tell; to the credit of > OAuth, in comparison, they, at least, acknowledge the phishing problem > explicitly] > > I really don't know if we can secure the Hypergrid the right way (well, > I think we can, but it will take some work including client-side :-), > but I do know that anything that is based on random components asking > people for their passwords is out of the question, at least for any > security schemes I will be involved with. > > Having said that, it's clear to me that, should we use the OpenID > protocol as a basis for Hypergrid identity, it doesn't necessarily need > to be used in the irresponsible manner it is being used on the Web. As I > said, the mechanism is fine. And there is something of value to having > OpenID and OAuth together. My main technical issue is the existence of > multiple calls and the complexity of the solution in terms of the code, > because of model mismatch. > > I haven't finished my study on this yet. I have been distracted > (distraught?) by what I'm seeing of OpenID out there on Webland... > > Crista > > ___ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev > ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
Diva Canto wrote: > There is nothing wrong with the mechanism and its roots. In fact, when I > first read the spec I liked it a lot. But I hadn't used this until 2 > hours ago. > > There is, potentially, a huge hole in the resulting system because it > ignores how people interact with their computers. Did anyone make a > serious study about how the normal people react to being phished on > using OpenID? That sounds like a great project for one of my colleagues > here at UCI... i agree with you re the concerns about normal users tend to not really check the security status of a page. most wouldn't even know how to do this properly: they probably check whether there is the little padlock icon in the header, but that's about it. very few know that that padlock icon is just an indicator and that one should check the certificate as well... and i've got to admit that it's been a long time since i checked the certificate of amazon.com, etc. and even if you do know how to check the certificate, what does it all mean? a better approach would be openID coupled with an out-of-band channel that, for example, utilizes your mobile phone (think OpenID + mTAN), but that would mean that each authentication would cost a bit. DrS/dirk -- dr dirk husemann virtual worlds research ibm zurich research lab SL: dr scofield drscofi...@xyzzyxyzzy.net http://xyzzyxyzzy.net/ RL: h...@zurich.ibm.com - +41 44 724 8573 - http://www.zurich.ibm.com/~hud/ ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
Mike Mazur wrote: > Hi, > > On Tue, 3 Mar 2009 08:40:03 +0100 > "Ralf Haifisch" wrote: > >> beiing pished - you are talking about "getting the users token" ? > > The expected scenario is this: > > 1. Log into travel.com using OpenID > 2. travel.com redirects you to myopenid.com for you to enter your pwd > 3. You enter your valid OpenID password > 4. myopenid.com redirects you back to travel.com, you are now authed > 5. You book your ticket safely > > The phishing scenario is this: > > 1. Log into travol.com using OpenID > 2. travol.com redirects you to BADopenid.com for you to enter your pwd. >BADopenid.com looks just like myopenid.com, you don't notice the >different URL and the lack of SSL session na, na, na. that's the script kiddie scenario. EVILopenid.com uses a certificate --- if they can't get a valid one (though why wouldn't they), they'd generate one each day that is just one day past it's validity... > 3. You enter your valid OpenID password > 4. Now the bad guys have access to your OpenID account, and all the >services you use OpenID to authenticate with > > Mike > ___ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev > -- dr dirk husemann virtual worlds research ibm zurich research lab SL: dr scofield drscofi...@xyzzyxyzzy.net http://xyzzyxyzzy.net/ RL: h...@zurich.ibm.com - +41 44 724 8573 - http://www.zurich.ibm.com/~hud/ ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
Aldon Hynes wrote: > Can someone point me to an authentication system that isn't susceptible to > being phished? as soon as you add an out-of-band channel, you have increased your security quite a bit... cheers, dirk > > Aldon > > -Original Message- > From: opensim-dev-boun...@lists.berlios.de > [mailto:opensim-dev-boun...@lists.berlios.de]on Behalf Of Mike Mazur > Sent: Tuesday, March 03, 2009 2:53 AM > To: opensim-dev@lists.berlios.de > Cc: r...@ralf-haifisch.biz > Subject: Re: [Opensim-dev] OpenID > > > Hi, > > On Tue, 3 Mar 2009 08:40:03 +0100 > "Ralf Haifisch" wrote: > >> beiing pished - you are talking about "getting the users token" ? > > The expected scenario is this: > > 1. Log into travel.com using OpenID > 2. travel.com redirects you to myopenid.com for you to enter your pwd > 3. You enter your valid OpenID password > 4. myopenid.com redirects you back to travel.com, you are now authed > 5. You book your ticket safely > > The phishing scenario is this: > > 1. Log into travol.com using OpenID > 2. travol.com redirects you to BADopenid.com for you to enter your pwd. >BADopenid.com looks just like myopenid.com, you don't notice the >different URL and the lack of SSL session > 3. You enter your valid OpenID password > 4. Now the bad guys have access to your OpenID account, and all the >services you use OpenID to authenticate with > > Mike > ___ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev > > ___ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev > -- dr dirk husemann virtual worlds research ibm zurich research lab SL: dr scofield drscofi...@xyzzyxyzzy.net http://xyzzyxyzzy.net/ RL: h...@zurich.ibm.com - +41 44 724 8573 - http://www.zurich.ibm.com/~hud/ ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
I believe one key contextual component we have, that most 'web' scenarios don't have, is that we can base our authentication on 'pushing' authentication. I believe that it should be very possible to create a scheme where you always start your session with logging onto your home registration grid, then establish a viewer session with each region in turn. Now of course, something like openId could probably be used intra-session. My only beef is that it should never be considered main provided 'entry' authentication scheme, for what I consider obvious reasons. So, if we can let 3D Web resources be so portable (continue down the separation and distribution path started upon by hypergrid) that you only ever need to register one account for your OpenSim experience, and if there can be third-party providers that provide openId entry authentication that lets me use openId for that (me knowing the risks involved, but trusting this particular party) I think that would solve the whole thing. Best regards, Stefan Andersson Tribal Media AB > Date: Tue, 3 Mar 2009 16:43:00 -0800 > From: d...@metaverseink.com > To: opensim-dev@lists.berlios.de > Subject: Re: [Opensim-dev] OpenID > > Sean Dague wrote: > > I guess the question is whether or not this is better or worse than > > requiring new user account registration for systems, which inevitably is > > people typing in the same passwords as they've used elsewhere. > > > I can't say I have the answer to that question, although I have a hunch > about it. All I can say is that it is extremely irresponsible on the > part of these corporations to deploy this scheme out there without > finding the answer to that question, given all the literature pointing > to how oblivious people are wrt security in practice. > > > Those are general statements on the tech. How it fits in the opensim > > space, I'll leave to others, because it may not be appropriate. But > > make sure that if you are going to hold up openid to such a high > > standard of social engineering, that you hold other methods to that as we= > > ll. > > > Let's put it this way: if I had the low standards and ethics that the > people who wrote the OpenID spec have I would say that the Hypergrid is > 1.0 and that the security problems "can be prevented in multiple ways" > and "are outside the scope of this document." Then I would charge > $5000/day to do consulting work with > the people who want to use the Hypergrid for added convenience, without > ever mentioning the security problems that it currently has. [That seems > to be the game with OpenID, as far as all I can tell; to the credit of > OAuth, in comparison, they, at least, acknowledge the phishing problem > explicitly] > > I really don't know if we can secure the Hypergrid the right way (well, > I think we can, but it will take some work including client-side :-), > but I do know that anything that is based on random components asking > people for their passwords is out of the question, at least for any > security schemes I will be involved with. > > Having said that, it's clear to me that, should we use the OpenID > protocol as a basis for Hypergrid identity, it doesn't necessarily need > to be used in the irresponsible manner it is being used on the Web. As I > said, the mechanism is fine. And there is something of value to having > OpenID and OAuth together. My main technical issue is the existence of > multiple calls and the complexity of the solution in terms of the code, > because of model mismatch. > > I haven't finished my study on this yet. I have been distracted > (distraught?) by what I'm seeing of OpenID out there on Webland... > > Crista > > ___ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
Sean Dague wrote: > I guess the question is whether or not this is better or worse than > requiring new user account registration for systems, which inevitably is > people typing in the same passwords as they've used elsewhere. > I can't say I have the answer to that question, although I have a hunch about it. All I can say is that it is extremely irresponsible on the part of these corporations to deploy this scheme out there without finding the answer to that question, given all the literature pointing to how oblivious people are wrt security in practice. > Those are general statements on the tech. How it fits in the opensim > space, I'll leave to others, because it may not be appropriate. But > make sure that if you are going to hold up openid to such a high > standard of social engineering, that you hold other methods to that as we= > ll. > Let's put it this way: if I had the low standards and ethics that the people who wrote the OpenID spec have I would say that the Hypergrid is 1.0 and that the security problems "can be prevented in multiple ways" and "are outside the scope of this document." Then I would charge $5000/day to do consulting work with the people who want to use the Hypergrid for added convenience, without ever mentioning the security problems that it currently has. [That seems to be the game with OpenID, as far as all I can tell; to the credit of OAuth, in comparison, they, at least, acknowledge the phishing problem explicitly] I really don't know if we can secure the Hypergrid the right way (well, I think we can, but it will take some work including client-side :-), but I do know that anything that is based on random components asking people for their passwords is out of the question, at least for any security schemes I will be involved with. Having said that, it's clear to me that, should we use the OpenID protocol as a basis for Hypergrid identity, it doesn't necessarily need to be used in the irresponsible manner it is being used on the Web. As I said, the mechanism is fine. And there is something of value to having OpenID and OAuth together. My main technical issue is the existence of multiple calls and the complexity of the solution in terms of the code, because of model mismatch. I haven't finished my study on this yet. I have been distracted (distraught?) by what I'm seeing of OpenID out there on Webland... Crista ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
> this out there for real, with a 2.0 tag, without first understanding > if/how people detect phishing in this particular context. There have > been enough studies in the past about how normal people handle security= > (or not) in practice, and the fallacies of designing systems assuming > that people choose security over convenience. >=20 > But hey -- I have no interest in the success or failure of the > corporations that are pushing for this. > I'll just stay here on my academic Ivory tower watching the phishing > artists unwrap this wonderful present that is falling on their laps... > http://marcoslot.net/apps/openid/ >=20 >=20 > And that's my last email about OpenID; case closed afaic, I'm too old > and too cranky for these Web 2.0 experiments. I'd rather continue tryin= g > to solve the problem for real :-) I guess the question is whether or not this is better or worse than requiring new user account registration for systems, which inevitably is people typing in the same passwords as they've used elsewhere. While there are clearly ways to social engineer openid, I don't think it's any worse than all the existing accounts. My openid account is on a website that I definitely control, and know what my login form will look like (and, honestly, am typically already logged into, which is even better). Openid for me is way better than creating new acconts. Those are general statements on the tech. How it fits in the opensim space, I'll leave to others, because it may not be appropriate. But make sure that if you are going to hold up openid to such a high standard of social engineering, that you hold other methods to that as we= ll. -Sean --=20 Sean Dague / Neas Bade sda...@gmail.com http://dague.net signature.asc Description: OpenPGP digital signature ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
We currently have a completely open system when it comes to HyperGrid - it's on or off, and if it's on, anyone can come in. We know where people come from - that much is readily apparent in the IP and port of that user's local authentication provider. If I only want to allow certain people to HyperGrid to my grid, say those that come from a grid that I trust, then I would like to add them to a trusted list. It's federated identity - we trust other authentication providers (the other grids) to handle their user accounts, and we let those users in. Those we do not trust, we have the option of stopping. Or, just leave it open, your choice. You have to separate authentication from authorisation. This is who I am, this is what I am allowed to do. If you can trust the authentication provider, then you can control authorisation at your end depending on the level of trust you grant to those users based on where they are from. On the other hand, imagine I have a collection of education grids with school kids from around the world - they would like to collaborate and HyperGrid to each other, but do not want their kids HyperGridding to 18+ grids. I would like to provide a set of trusted destinations for my gridizens that conform to my own grid's PG rating. Chris ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.5/1977 - Release Date: 03/02/09 23:02:00 ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
Can someone point me to an authentication system that isn't susceptible to being phished? Aldon -Original Message- From: opensim-dev-boun...@lists.berlios.de [mailto:opensim-dev-boun...@lists.berlios.de]on Behalf Of Mike Mazur Sent: Tuesday, March 03, 2009 2:53 AM To: opensim-dev@lists.berlios.de Cc: r...@ralf-haifisch.biz Subject: Re: [Opensim-dev] OpenID Hi, On Tue, 3 Mar 2009 08:40:03 +0100 "Ralf Haifisch" wrote: > beiing pished - you are talking about "getting the users token" ? The expected scenario is this: 1. Log into travel.com using OpenID 2. travel.com redirects you to myopenid.com for you to enter your pwd 3. You enter your valid OpenID password 4. myopenid.com redirects you back to travel.com, you are now authed 5. You book your ticket safely The phishing scenario is this: 1. Log into travol.com using OpenID 2. travol.com redirects you to BADopenid.com for you to enter your pwd. BADopenid.com looks just like myopenid.com, you don't notice the different URL and the lack of SSL session 3. You enter your valid OpenID password 4. Now the bad guys have access to your OpenID account, and all the services you use OpenID to authenticate with Mike ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
Diva, while I know you've made your last post on the point, I just wanted to tell you I'm in 100% agreement. I had heard talk about the weakness of openId before, but never really looked into it. This just amazes me. Technicians really believe that we won't see forms posting to malicious pop-ups that has removed and/or substituted all browser UI? Counting on the end-user to know exactly what experience to expect, what icons to click to secure ceritificates? If this is really how openId is supposed to work, if you're really supposed to be _told_ where and how to go to authenticate by _the_very_party_ you're trying to authenticate against... Amazing. Now, I won't comment further either. I believe it's more important to get ANY security scheme in place than to get the RIGHT one in place. Let's just make sure it's pluggable. Best regards, Stefan Andersson Tribal Media AB > Date: Tue, 3 Mar 2009 16:53:08 +0900 > From: mma...@gmail.com > To: opensim-dev@lists.berlios.de > CC: r...@ralf-haifisch.biz > Subject: Re: [Opensim-dev] OpenID > > Hi, > > On Tue, 3 Mar 2009 08:40:03 +0100 > "Ralf Haifisch" wrote: > > > beiing pished - you are talking about "getting the users token" ? > > The expected scenario is this: > > 1. Log into travel.com using OpenID > 2. travel.com redirects you to myopenid.com for you to enter your pwd > 3. You enter your valid OpenID password > 4. myopenid.com redirects you back to travel.com, you are now authed > 5. You book your ticket safely > > The phishing scenario is this: > > 1. Log into travol.com using OpenID > 2. travol.com redirects you to BADopenid.com for you to enter your pwd. > BADopenid.com looks just like myopenid.com, you don't notice the > different URL and the lack of SSL session > 3. You enter your valid OpenID password > 4. Now the bad guys have access to your OpenID account, and all the > services you use OpenID to authenticate with > > Mike > ___ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
Hi, On Tue, 3 Mar 2009 08:40:03 +0100 "Ralf Haifisch" wrote: > beiing pished - you are talking about "getting the users token" ? The expected scenario is this: 1. Log into travel.com using OpenID 2. travel.com redirects you to myopenid.com for you to enter your pwd 3. You enter your valid OpenID password 4. myopenid.com redirects you back to travel.com, you are now authed 5. You book your ticket safely The phishing scenario is this: 1. Log into travol.com using OpenID 2. travol.com redirects you to BADopenid.com for you to enter your pwd. BADopenid.com looks just like myopenid.com, you don't notice the different URL and the lack of SSL session 3. You enter your valid OpenID password 4. Now the bad guys have access to your OpenID account, and all the services you use OpenID to authenticate with Mike ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
Na... It will reduce the amount of passwords transmitted /typed in. You only authenticate to the auth-provider (verisign e.g.). So you have at least 1 step more security unless you give out more date. But I totally agree, that people are weak factor. That is where modern standard talk about this exo-technical ways to security , like awareness programs. I don´t think a system in nower days can do much better. That is we I wrote about this "trusted stack": If hardware and software, as well as target application are "signed" (by a digital certificate) and can identify each other - so we get an complete certified path for the data: that would be a trusted stack. In that case you could have a whitelist , like we have Spam-Blacklists - and you could get a "green light" to be displayed for the user. openID (and alike systems) help by reducing password flow and introducing claims, so only the needed data is submitted (e.g. not your age if buying shoes) - but the green light must be given by the end of the chain (e.g. the users browser). It is a way to go. Personaly I will not think, that all things things can ever reach the target, unless people are aware of what they do. To leave off all this IT-related thoughts: It is a simple commercial rule, that a chance is related to a risk. There are still people thinking of 25% on their money with no risk. When did we introduce the money ?? :-) Cheers, Ralf -- Message: 2 Date: Mon, 02 Mar 2009 15:29:56 -0800 From: Diva Canto Subject: Re: [Opensim-dev] OpenID To: opensim-dev@lists.berlios.de Message-ID: <49ac6bf4.5090...@metaverseink.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hurliman, John wrote: > Do you make a habit of sending your credentials to websites without checking the hostname and ignoring invalid SSL certificate warnings? That will create a problem. > Yes, precisely -- a huge problem. Most people don't check those things because they don't even know what they are. They are used to their computer popping up random warning windows with technical jargon -- for example when first running Second Life there are warnings about the application trying to do things that are unsafe, etc, and people will just click ok. It's 10x worse here than in email phishing scams, because people know that they are going to be asked for their password -- that's what it's supposed to do. So they will type it. I'm just trying to understand the implications of these different identity and authorization mechanisms, and I confess I am puzzled with the suggestion that OpenID is a viable identity scheme beyond confined networks of trust. Crista -- ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
Well, beiing pished - you are talking about "getting the users token" ? pishing to me is getting information the owner would not grant you, if you did not request them by ways he assusmes to be something/someone else requesting this. Just the "token" to log me in.. its not password pishing or so.. ... ah.. I think I got you.. - someone want to log into "travel.com" - we logs on to "trovel.com" - books a journey - opens the claim (in 2.x of opened) on his creditcard data That is the pishing thing you think about ? I guess its not worse than what happen now, the people would just use their creditcard on a wrong website. It´s a little bit related to your other message "how people interact", but opened is not guilty here - it adds just one more warning (people ignore). Cheers, Ralf -- Message: 4 Date: Mon, 02 Mar 2009 15:57:48 -0800 From: Diva Canto Subject: Re: [Opensim-dev] OpenID To: opensim-dev@lists.berlios.de Message-ID: <49ac727c.2020...@metaverseink.com> Content-Type: text/plain; charset="iso-8859-1" There is nothing wrong with the mechanism and its roots. In fact, when I first read the spec I liked it a lot. But I hadn't used this until 2 hours ago. There is, potentially, a huge hole in the resulting system because it ignores how people interact with their computers. Did anyone make a serious study about how the normal people react to being phished on using OpenID? That sounds like a great project for one of my colleagues here at UCI... Ralf Haifisch wrote: > Crista, > > this is a upcomming standard and common sense. If I do an audit based in ISO > 27.001, this is a perfect thing and would get some applause if implementet, > generally speaking. > > > It is based on the established ideas from LPAD+Kerberos combining systems, > that use this triangle of user/workstation - auth-provider and > auth-subscriber in principle , as well. > > > Microsoft did try to run this with .Net Passport (uhm... maybe they even had > a name before that) and had a set of criteria you have to fulfill before > joining the system. People did not like this "closed source big brother - > alike" system. > > > openID and SAML are major topics for those devs, that are into security > systems right now. Claim based systems and rights management are often based > on this. > > > It is all about a "secure stack". > > - hopefully, you did write your operating system - why could it be trusted > otherwise ? > - what about the keyboard ? easy going to implement what I need > - is there a "nuble" on your monitors video cord ? is this for antiference > reasons... hmmm.. > - you print out strategic papers or sources on the big laserpinter in the > floor (sure, only you in the building).. I did fetch interesting stuff > unencrypted from these devices > - you had this all new USB harddisc for backups that came with some new > drivers ? > > Unless the whole stack from hardware to service is secure and trusts are > build and verified against each other what you see is the best that is > realistic achievable: > > > --> warn the user, if something is maybe wrong. > > > Its you, chooses the opened provider (I guess verisign is somewhat secure > for me) > > It?s you who uses a service - and would have done even without opened. > > Its you who gets a warning about possible fraud, you would not have been > getting without opened. > > > Instead of opened the usual user has 2000 passwords and requests new > passwords via clear text email over the web, regularly. > > > So - in total a regular user gets more security. That's the basic idea. > > > In some years we will use at least 2-factor authentification. E.g. the > Netherlands did start giving out passports with a digital ID (certificate). > Cheap reader will spread. > > > There is a common sense that, "exo-technical means" will better serve > security needs in future. The more business driven standards like ISO 27.001 > and 38.500 repect this. Technical means will fulfill a task assingned > exo-technical. > > > Let say - this is a new and upcoming system. > Its not worse than what we have. > It has many option got get better on a standard architecture. > > > It?s a little bit like the 3D web story... > > > Cheers, > Ralf > > ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
It is already included in the Geneva SDK, the former project Lausagne. And it will be native in Cardspace in some time, does not seem so on start of SP3 for Vista.. aehm.. Windowds 7 as they call it. Cheers, Ralf -- Message: 5 Date: Mon, 02 Mar 2009 19:29:54 -0500 From: Aldon Hynes Subject: Re: [Opensim-dev] OpenID To: opensim-dev@lists.berlios.de Message-ID: Content-Type: text/plain; charset=iso-8859-1 It is worth noting that Microsoft is now adopting OpenID as well. A while ago it went into testing, The idea is that you can use Microsoft Live as your OpenID provider. I've tested it and it works fairly well. In fact, I think it works better than the Google implementation. However, I still prefer XRI based OpenID =aldon.hynes @ahynes1 ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
As far as I understand with oAuth your viewer can post your credentials to oAuth provider which will provide you with tokens. Tokens you hand to consumers (remote services) which use those to get your identity and deduce the access rights you have. What Diva explained is the core problem of OpenID. The mechanism is not builtin to browsers but its takes web forwarding to your openid browider for auth and back. If user is not careful he can be get cheated. Normally open id should forward to your open.idprovider according the url you gave and you should be able to see in your browser address bar if you were forwarded to correct place. Checking this always takes superman qualities though. regards, Tommi ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
On Tue, Mar 3, 2009 at 12:57 AM, Diva Canto wrote: > There is nothing wrong with the mechanism and its roots. In fact, when I > first read the spec I liked it a lot. But I hadn't used this until 2 hours > ago. > > There is, potentially, a huge hole in the resulting system because it > ignores how people interact with their computers. Did anyone make a serious > study about how the normal people react to being phished on using OpenID? > That sounds like a great project for one of my colleagues here at UCI... > I think the people will react the same way as usual - they will get stressed and upset :-) Jokes aside - [1] was an excellent book, and would be cool for it to be a series or if there is a regular publication devoted to HCI and security with corresponding research activities. As far as checking the padlock icon is concerned... 1) Would be interesting in real-world figures on how many people really click on the padlock icon to check the cert, beyond the security professionals (I think [1] had even a case study for that, and the numbers were pretty catastrophic) 2) MD5 collisions[2] and forged CA certs[3] in particular make even that less than bullet-proof. OTOH, OpenID does not appear to touch the problem of authentication of the OpenID provider site to the user (at least from my cursory look at [4] - the section 15.1.2.1 specifically calls a similar kind of scenario "out of scope". as well as item 5 of section 3. I tend to be in a violent agreement with the author of [5] - and I think it would be awesome if OpenID spec discussed those implementation details - but, probably they wanted to keep the spec size within the reasonable limits :) I suspect that the phishing issue in this particular context could be relatively simply solved by timed preauthentication - you login via hardcoded OpenID provider URL (bookmarked) beforehand, and upon successful authentication they show you a random picture that is reasonably easy to remember, and is valid for, say 24 hours. (The above step assumes the DNS is not poisoned :-) The subsequent redirect from the Relying Party causes this same image shown alongside with the request for the credentials. With a big enough pool of images it should somewhat reduce the risk. Of course, even this is too complex and will require a lot of education (assuming that this quick improvisation of mine actually provides any security). /d [1]: http://oreilly.com/catalog/9780596008277/ [2]: http://sechack.blogspot.com/2009/01/md5-collision-demo.html [3]: http://www.cgisecurity.com/2008/12/-md5-considered-harmful-today-creating-a-rogue-ca-certificate.html [4]: http://openid.net/specs/openid-authentication-2_0.html [5]: http://www.ietf.org/mail-archive/web/saag/current/msg02515.html ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
From where I stand, it seems like a complete irresponsibility to deploy this out there for real, with a 2.0 tag, without first understanding if/how people detect phishing in this particular context. There have been enough studies in the past about how normal people handle security (or not) in practice, and the fallacies of designing systems assuming that people choose security over convenience. But hey -- I have no interest in the success or failure of the corporations that are pushing for this. I'll just stay here on my academic Ivory tower watching the phishing artists unwrap this wonderful present that is falling on their laps... http://marcoslot.net/apps/openid/ And that's my last email about OpenID; case closed afaic, I'm too old and too cranky for these Web 2.0 experiments. I'd rather continue trying to solve the problem for real :-) Crista Aldon Hynes wrote: It is worth noting that Microsoft is now adopting OpenID as well. A while ago it went into testing, The idea is that you can use Microsoft Live as your OpenID provider. I've tested it and it works fairly well. In fact, I think it works better than the Google implementation. However, I still prefer XRI based OpenID =aldon.hynes @ahynes1 -Original Message- From: opensim-dev-boun...@lists.berlios.de [mailto:opensim-dev-boun...@lists.berlios.de]on Behalf Of Ralf Haifisch Sent: Monday, March 02, 2009 6:39 PM To: opensim-dev@lists.berlios.de Subject: Re: [Opensim-dev] OpenID Crista, this is a upcomming standard and common sense. If I do an audit based in ISO 27.001, this is a perfect thing and would get some applause if implementet, generally speaking. It is based on the established ideas from LPAD+Kerberos combining systems, that use this triangle of user/workstation - auth-provider and auth-subscriber in principle , as well. Microsoft did try to run this with .Net Passport (uhm... maybe they even had a name before that) and had a set of criteria you have to fulfill before joining the system. People did not like this "closed source big brother - alike" system. openID and SAML are major topics for those devs, that are into security systems right now. Claim based systems and rights management are often based on this. It is all about a "secure stack". - hopefully, you did write your operating system - why could it be trusted otherwise ? - what about the keyboard ? easy going to implement what I need - is there a "nuble" on your monitors video cord ? is this for antiference reasons... hmmm.. - you print out strategic papers or sources on the big laserpinter in the floor (sure, only you in the building).. I did fetch interesting stuff unencrypted from these devices - you had this all new USB harddisc for backups that came with some new drivers ? Unless the whole stack from hardware to service is secure and trusts are build and verified against each other what you see is the best that is realistic achievable: --> warn the user, if something is maybe wrong. Its you, chooses the opened provider (I guess verisign is somewhat secure for me) It´s you who uses a service - and would have done even without opened. Its you who gets a warning about possible fraud, you would not have been getting without opened. Instead of opened the usual user has 2000 passwords and requests new passwords via clear text email over the web, regularly. So - in total a regular user gets more security. That's the basic idea. In some years we will use at least 2-factor authentification. E.g. the Netherlands did start giving out passports with a digital ID (certificate). Cheap reader will spread. There is a common sense that, "exo-technical means" will better serve security needs in future. The more business driven standards like ISO 27.001 and 38.500 repect this. Technical means will fulfill a task assingned exo-technical. Let say - this is a new and upcoming system. Its not worse than what we have. It has many option got get better on a standard architecture. It´s a little bit like the 3D web story... Cheers, Ralf -- Message: 6 Date: Mon, 02 Mar 2009 14:44:46 -0800 From: Diva Canto Subject: Re: [Opensim-dev] OpenID To: opensim-dev@lists.berlios.de Message-ID: <49ac615e.5010...@metaverseink.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed OMG! Sorry for insisting on this, but I tend to get obsessive when I'm trying to figure things out :-) I just tried login to some random Brazilian site using my OpenID-ed Yahoo account. Indeed, it... works... i guess. I seem to have been redirected to a yahoo openid login page, which, after I entered my password, proceeded to warn me that "Warning: this web site has not confirmed its identity with Yahoo! and might be fraudulent". I have no idea/guarantees that this site that the Brazilian site redirected me that looks like Yahoo,
Re: [Opensim-dev] OpenID
It is worth noting that Microsoft is now adopting OpenID as well. A while ago it went into testing, The idea is that you can use Microsoft Live as your OpenID provider. I've tested it and it works fairly well. In fact, I think it works better than the Google implementation. However, I still prefer XRI based OpenID =aldon.hynes @ahynes1 -Original Message- From: opensim-dev-boun...@lists.berlios.de [mailto:opensim-dev-boun...@lists.berlios.de]on Behalf Of Ralf Haifisch Sent: Monday, March 02, 2009 6:39 PM To: opensim-dev@lists.berlios.de Subject: Re: [Opensim-dev] OpenID Crista, this is a upcomming standard and common sense. If I do an audit based in ISO 27.001, this is a perfect thing and would get some applause if implementet, generally speaking. It is based on the established ideas from LPAD+Kerberos combining systems, that use this triangle of user/workstation - auth-provider and auth-subscriber in principle , as well. Microsoft did try to run this with .Net Passport (uhm... maybe they even had a name before that) and had a set of criteria you have to fulfill before joining the system. People did not like this "closed source big brother - alike" system. openID and SAML are major topics for those devs, that are into security systems right now. Claim based systems and rights management are often based on this. It is all about a "secure stack". - hopefully, you did write your operating system - why could it be trusted otherwise ? - what about the keyboard ? easy going to implement what I need - is there a "nuble" on your monitors video cord ? is this for antiference reasons... hmmm.. - you print out strategic papers or sources on the big laserpinter in the floor (sure, only you in the building).. I did fetch interesting stuff unencrypted from these devices - you had this all new USB harddisc for backups that came with some new drivers ? Unless the whole stack from hardware to service is secure and trusts are build and verified against each other what you see is the best that is realistic achievable: --> warn the user, if something is maybe wrong. Its you, chooses the opened provider (I guess verisign is somewhat secure for me) It´s you who uses a service - and would have done even without opened. Its you who gets a warning about possible fraud, you would not have been getting without opened. Instead of opened the usual user has 2000 passwords and requests new passwords via clear text email over the web, regularly. So - in total a regular user gets more security. Thats the basic idea. In some years we will use at least 2-factor authentification. E.g. the Netherlands did start giving out passports with a digital ID (certificate). Cheap reader will spread. There is a common sense that, "exo-technical means" will better serve security needs in future. The more business driven standards like ISO 27.001 and 38.500 repect this. Technical means will fulfill a task assingned exo-technical. Let say - this is a new and upcoming system. Its not worse than what we have. It has many option got get better on a standard architecture. It´s a little bit like the 3D web story... Cheers, Ralf -- Message: 6 Date: Mon, 02 Mar 2009 14:44:46 -0800 From: Diva Canto Subject: Re: [Opensim-dev] OpenID To: opensim-dev@lists.berlios.de Message-ID: <49ac615e.5010...@metaverseink.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed OMG! Sorry for insisting on this, but I tend to get obsessive when I'm trying to figure things out :-) I just tried login to some random Brazilian site using my OpenID-ed Yahoo account. Indeed, it... works... i guess. I seem to have been redirected to a yahoo openid login page, which, after I entered my password, proceeded to warn me that "Warning: this web site has not confirmed its identity with Yahoo! and might be fraudulent". I have no idea/guarantees that this site that the Brazilian site redirected me that looks like Yahoo, where I entered my password, and that is warning me of danger, is, indeed, a legitimate Yahoo site. It might not be. And I have no idea what that potentially fraudulent Brazilian site might do with the info it gets from Yahoo (assuming this is Yahoo and not a phishing scam). Sorry, this defies all common sense... I can see the *mechanism* of OpenID working among a group of organizations that trust each other by exo-technical means (read lawyers). But this mechanism in decentralized, world-wide open systems?! That's insane! Crista Diva Canto wrote: > The more I read about OpenID the more concerns I have that it's unsafe > -- not just for OpenSim but in general. It seems that OpenID is a > wonderful opportunity for phishing sites to get access to people's > passwords directly. > > The flaw is that it assumes that the initial site is trustworthy. That's > a huge assu
Re: [Opensim-dev] OpenID
There is nothing wrong with the mechanism and its roots. In fact, when I first read the spec I liked it a lot. But I hadn't used this until 2 hours ago. There is, potentially, a huge hole in the resulting system because it ignores how people interact with their computers. Did anyone make a serious study about how the normal people react to being phished on using OpenID? That sounds like a great project for one of my colleagues here at UCI... Ralf Haifisch wrote: Crista, this is a upcomming standard and common sense. If I do an audit based in ISO 27.001, this is a perfect thing and would get some applause if implementet, generally speaking. It is based on the established ideas from LPAD+Kerberos combining systems, that use this triangle of user/workstation - auth-provider and auth-subscriber in principle , as well. Microsoft did try to run this with .Net Passport (uhm... maybe they even had a name before that) and had a set of criteria you have to fulfill before joining the system. People did not like this "closed source big brother - alike" system. openID and SAML are major topics for those devs, that are into security systems right now. Claim based systems and rights management are often based on this. It is all about a "secure stack". - hopefully, you did write your operating system - why could it be trusted otherwise ? - what about the keyboard ? easy going to implement what I need - is there a "nuble" on your monitors video cord ? is this for antiference reasons... hmmm.. - you print out strategic papers or sources on the big laserpinter in the floor (sure, only you in the building).. I did fetch interesting stuff unencrypted from these devices - you had this all new USB harddisc for backups that came with some new drivers ? Unless the whole stack from hardware to service is secure and trusts are build and verified against each other what you see is the best that is realistic achievable: --> warn the user, if something is maybe wrong. Its you, chooses the opened provider (I guess verisign is somewhat secure for me) It´s you who uses a service - and would have done even without opened. Its you who gets a warning about possible fraud, you would not have been getting without opened. Instead of opened the usual user has 2000 passwords and requests new passwords via clear text email over the web, regularly. So - in total a regular user gets more security. That's the basic idea. In some years we will use at least 2-factor authentification. E.g. the Netherlands did start giving out passports with a digital ID (certificate). Cheap reader will spread. There is a common sense that, "exo-technical means" will better serve security needs in future. The more business driven standards like ISO 27.001 and 38.500 repect this. Technical means will fulfill a task assingned exo-technical. Let say - this is a new and upcoming system. Its not worse than what we have. It has many option got get better on a standard architecture. It´s a little bit like the 3D web story... Cheers, Ralf -- Message: 6 Date: Mon, 02 Mar 2009 14:44:46 -0800 From: Diva Canto Subject: Re: [Opensim-dev] OpenID To: opensim-dev@lists.berlios.de Message-ID: <49ac615e.5010...@metaverseink.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed OMG! Sorry for insisting on this, but I tend to get obsessive when I'm trying to figure things out :-) I just tried login to some random Brazilian site using my OpenID-ed Yahoo account. Indeed, it... works... i guess. I seem to have been redirected to a yahoo openid login page, which, after I entered my password, proceeded to warn me that "Warning: this web site has not confirmed its identity with Yahoo! and might be fraudulent". I have no idea/guarantees that this site that the Brazilian site redirected me that looks like Yahoo, where I entered my password, and that is warning me of danger, is, indeed, a legitimate Yahoo site. It might not be. And I have no idea what that potentially fraudulent Brazilian site might do with the info it gets from Yahoo (assuming this is Yahoo and not a phishing scam). Sorry, this defies all common sense... I can see the *mechanism* of OpenID working among a group of organizations that trust each other by exo-technical means (read lawyers). But this mechanism in decentralized, world-wide open systems?! That's insane! Crista Diva Canto wrote: The more I read about OpenID the more concerns I have that it's unsafe -- not just for OpenSim but in general. It seems that OpenID is a wonderful opportunity for phishing sites to get access to people's passwords directly. The flaw is that it assumes that the initial site is trustworthy. That's a huge assumption! Try to use your OSGrid OpenID-ed account in a future version of DNCH... it will direct you t
Re: [Opensim-dev] OpenID
Crista, this is a upcomming standard and common sense. If I do an audit based in ISO 27.001, this is a perfect thing and would get some applause if implementet, generally speaking. It is based on the established ideas from LPAD+Kerberos combining systems, that use this triangle of user/workstation - auth-provider and auth-subscriber in principle , as well. Microsoft did try to run this with .Net Passport (uhm... maybe they even had a name before that) and had a set of criteria you have to fulfill before joining the system. People did not like this "closed source big brother - alike" system. openID and SAML are major topics for those devs, that are into security systems right now. Claim based systems and rights management are often based on this. It is all about a "secure stack". - hopefully, you did write your operating system - why could it be trusted otherwise ? - what about the keyboard ? easy going to implement what I need - is there a "nuble" on your monitors video cord ? is this for antiference reasons... hmmm.. - you print out strategic papers or sources on the big laserpinter in the floor (sure, only you in the building).. I did fetch interesting stuff unencrypted from these devices - you had this all new USB harddisc for backups that came with some new drivers ? Unless the whole stack from hardware to service is secure and trusts are build and verified against each other what you see is the best that is realistic achievable: --> warn the user, if something is maybe wrong. Its you, chooses the opened provider (I guess verisign is somewhat secure for me) It´s you who uses a service - and would have done even without opened. Its you who gets a warning about possible fraud, you would not have been getting without opened. Instead of opened the usual user has 2000 passwords and requests new passwords via clear text email over the web, regularly. So - in total a regular user gets more security. Thats the basic idea. In some years we will use at least 2-factor authentification. E.g. the Netherlands did start giving out passports with a digital ID (certificate). Cheap reader will spread. There is a common sense that, "exo-technical means" will better serve security needs in future. The more business driven standards like ISO 27.001 and 38.500 repect this. Technical means will fulfill a task assingned exo-technical. Let say - this is a new and upcoming system. Its not worse than what we have. It has many option got get better on a standard architecture. It´s a little bit like the 3D web story... Cheers, Ralf -- Message: 6 Date: Mon, 02 Mar 2009 14:44:46 -0800 From: Diva Canto Subject: Re: [Opensim-dev] OpenID To: opensim-dev@lists.berlios.de Message-ID: <49ac615e.5010...@metaverseink.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed OMG! Sorry for insisting on this, but I tend to get obsessive when I'm trying to figure things out :-) I just tried login to some random Brazilian site using my OpenID-ed Yahoo account. Indeed, it... works... i guess. I seem to have been redirected to a yahoo openid login page, which, after I entered my password, proceeded to warn me that "Warning: this web site has not confirmed its identity with Yahoo! and might be fraudulent". I have no idea/guarantees that this site that the Brazilian site redirected me that looks like Yahoo, where I entered my password, and that is warning me of danger, is, indeed, a legitimate Yahoo site. It might not be. And I have no idea what that potentially fraudulent Brazilian site might do with the info it gets from Yahoo (assuming this is Yahoo and not a phishing scam). Sorry, this defies all common sense... I can see the *mechanism* of OpenID working among a group of organizations that trust each other by exo-technical means (read lawyers). But this mechanism in decentralized, world-wide open systems?! That's insane! Crista Diva Canto wrote: > The more I read about OpenID the more concerns I have that it's unsafe > -- not just for OpenSim but in general. It seems that OpenID is a > wonderful opportunity for phishing sites to get access to people's > passwords directly. > > The flaw is that it assumes that the initial site is trustworthy. That's > a huge assumption! Try to use your OSGrid OpenID-ed account in a future > version of DNCH... it will direct you to a page that will look like > OSGrid's login page, and then it will steal your password as you type it. > > Is this serious?! Maybe I'm missing something fundamental... > > > Crista > > ___ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev > > ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
Hurliman, John wrote: > Do you make a habit of sending your credentials to websites without checking > the hostname and ignoring invalid SSL certificate warnings? That will create > a problem. > Yes, precisely -- a huge problem. Most people don't check those things because they don't even know what they are. They are used to their computer popping up random warning windows with technical jargon -- for example when first running Second Life there are warnings about the application trying to do things that are unsafe, etc, and people will just click ok. It's 10x worse here than in email phishing scams, because people know that they are going to be asked for their password -- that's what it's supposed to do. So they will type it. I'm just trying to understand the implications of these different identity and authorization mechanisms, and I confess I am puzzled with the suggestion that OpenID is a viable identity scheme beyond confined networks of trust. Crista ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
Hi Diva, On Mon, 02 Mar 2009 14:44:46 -0800 Diva Canto wrote: > I just tried login to some random Brazilian site using my OpenID-ed > Yahoo account. Indeed, it... works... i guess. > I seem to have been redirected to a yahoo openid login page, which, > after I entered my password, proceeded to warn me that "Warning: this > web site has not confirmed its identity with Yahoo! and might be > fraudulent". > > I have no idea/guarantees that this site that the Brazilian site > redirected me that looks like Yahoo, where I entered my password, and > that is warning me of danger, is, indeed, a legitimate Yahoo site. It > might not be. The Yahoo site you are redirected to should be using an SSL connection (https:// and the little padlock in the status bar). This is true for myopenid.com, and I would be surprised if it wasn't true for Yahoo's OpenID service as well. If this Yahoo site itself is fraudulent, it somehow must have gotten a valid SSL cert for yahoo.com. > And I have no idea what that potentially fraudulent > Brazilian site might do with the info it gets from Yahoo (assuming > this is Yahoo and not a phishing scam). The Brazilian website does not get your OpenID password, it only gets confirmation from Yahoo that you are who you claim you are. I think in OpenID 2.0 they also included a notion of attributes that you can share with OpenID consumers (the Brazilian site in this case), such as your name, email address, etc, but you manually approve those before they are shared. Standard disclaimer: I'm not a security expert either, and I'm not looking at the OpenID documentation as I write this either, so expect bugs in the explanation above. Hope that helps, Mike ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
Do you make a habit of sending your credentials to websites without checking the hostname and ignoring invalid SSL certificate warnings? That will create a problem. John >-Original Message- >From: opensim-dev-boun...@lists.berlios.de [mailto:opensim-dev- >boun...@lists.berlios.de] On Behalf Of Diva Canto >Sent: Monday, March 02, 2009 2:45 PM >To: opensim-dev@lists.berlios.de >Subject: Re: [Opensim-dev] OpenID > >OMG! >Sorry for insisting on this, but I tend to get obsessive when I'm trying >to figure things out :-) >I just tried login to some random Brazilian site using my OpenID-ed >Yahoo account. Indeed, it... works... i guess. >I seem to have been redirected to a yahoo openid login page, which, >after I entered my password, proceeded to warn me that "Warning: this >web site has not confirmed its identity with Yahoo! and might be >fraudulent". > >I have no idea/guarantees that this site that the Brazilian site >redirected me that looks like Yahoo, where I entered my password, and >that is warning me of danger, is, indeed, a legitimate Yahoo site. It >might not be. And I have no idea what that potentially fraudulent >Brazilian site might do with the info it gets from Yahoo (assuming this >is Yahoo and not a phishing scam). > >Sorry, this defies all common sense... > >I can see the *mechanism* of OpenID working among a group of >organizations that trust each other by exo-technical means (read >lawyers). But this mechanism in decentralized, world-wide open systems?! >That's insane! > >Crista > >Diva Canto wrote: >> The more I read about OpenID the more concerns I have that it's unsafe >> -- not just for OpenSim but in general. It seems that OpenID is a >> wonderful opportunity for phishing sites to get access to people's >> passwords directly. >> >> The flaw is that it assumes that the initial site is trustworthy. >That's >> a huge assumption! Try to use your OSGrid OpenID-ed account in a >future >> version of DNCH... it will direct you to a page that will look like >> OSGrid's login page, and then it will steal your password as you type >it. >> >> Is this serious?! Maybe I'm missing something fundamental... >> >> >> Crista >> >> ___ >> Opensim-dev mailing list >> Opensim-dev@lists.berlios.de >> https://lists.berlios.de/mailman/listinfo/opensim-dev >> >> > >___ >Opensim-dev mailing list >Opensim-dev@lists.berlios.de >https://lists.berlios.de/mailman/listinfo/opensim-dev > ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
Re: [Opensim-dev] OpenID
OMG! Sorry for insisting on this, but I tend to get obsessive when I'm trying to figure things out :-) I just tried login to some random Brazilian site using my OpenID-ed Yahoo account. Indeed, it... works... i guess. I seem to have been redirected to a yahoo openid login page, which, after I entered my password, proceeded to warn me that "Warning: this web site has not confirmed its identity with Yahoo! and might be fraudulent". I have no idea/guarantees that this site that the Brazilian site redirected me that looks like Yahoo, where I entered my password, and that is warning me of danger, is, indeed, a legitimate Yahoo site. It might not be. And I have no idea what that potentially fraudulent Brazilian site might do with the info it gets from Yahoo (assuming this is Yahoo and not a phishing scam). Sorry, this defies all common sense... I can see the *mechanism* of OpenID working among a group of organizations that trust each other by exo-technical means (read lawyers). But this mechanism in decentralized, world-wide open systems?! That's insane! Crista Diva Canto wrote: > The more I read about OpenID the more concerns I have that it's unsafe > -- not just for OpenSim but in general. It seems that OpenID is a > wonderful opportunity for phishing sites to get access to people's > passwords directly. > > The flaw is that it assumes that the initial site is trustworthy. That's > a huge assumption! Try to use your OSGrid OpenID-ed account in a future > version of DNCH... it will direct you to a page that will look like > OSGrid's login page, and then it will steal your password as you type it. > > Is this serious?! Maybe I'm missing something fundamental... > > > Crista > > ___ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev > > ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
[Opensim-dev] OpenID
The more I read about OpenID the more concerns I have that it's unsafe -- not just for OpenSim but in general. It seems that OpenID is a wonderful opportunity for phishing sites to get access to people's passwords directly. The flaw is that it assumes that the initial site is trustworthy. That's a huge assumption! Try to use your OSGrid OpenID-ed account in a future version of DNCH... it will direct you to a page that will look like OSGrid's login page, and then it will steal your password as you type it. Is this serious?! Maybe I'm missing something fundamental... Crista ___ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev