Ever seen those popups that try to look like windows dialogs to get you to install spyware? The same can be done here, and sugar doesn't help by naming browse's spawned windows as "rainbow-daemon"...
The point is moot, however, because the user is simply giving his authorization (not a password), and the jabber authentication messages have to originate from the actual XO. (or machine with that JID). -lf On Dec 4, 2008, at 10:59, "Sebastian Silva" <sebast...@fuentelibre.org> wrote: > Second, and more importantly, if we do this right, his description of > the problem does not bite us because a child is already logged in by > the time he goes outside to the wild phishing monster filled world. > If the fake OpenID sends you to a fake user/pass page (weren't we > discussing passwordless?) - it should be suspicious since he'll know > he's already logged in. > > Also, more importantly, if the login confirmation is done via the GUI > (and not a website), then the problem is gone (how can you fake a > sugar dialog from a website?). -LF _______________________________________________ Sugar mailing list Sugar@lists.laptop.org http://lists.laptop.org/listinfo/sugar
