On 7/7/2016 8:50 AM, IngeGNUe wrote: > Now, now, we're moving the goal post. First it was spyware, then it was > malware in general, and now vulnerabilities? These are all distinct > categories.
You made an assertion about trusted sources. I countered with the trust you place in a source has nothing to do with the quality and security, and that trust placed in FLOSS because it is FLOSS is misplaced. > I'm having trouble understanding yet why it would be a risk for > passwords as long as the federation remains within Google Apps (Drive, > YouTube, Docs, Mail, the whole potato) If you use Google's identity service on a site and you don't have a valid token (cookie) then you need to get a token. The site will redirect you to a login page. This is how it is intended to work. If the site's servers are compromised then they can easily be configured to direct users to a fake login page regardless of valid tokens. These fake login pages can collect credentials and forward them to Google using the identity platform APIs. Users get (new) valid tokens and attackers get users' credentials. -- Rich P. _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
