Mike Mazur wrote: > Hi, > > On Tue, 3 Mar 2009 08:40:03 +0100 > "Ralf Haifisch" <r...@ralf-haifisch.biz> wrote: > >> beiing pished - you are talking about "getting the users token" ? > > The expected scenario is this: > > 1. Log into travel.com using OpenID > 2. travel.com redirects you to myopenid.com for you to enter your pwd > 3. You enter your valid OpenID password > 4. myopenid.com redirects you back to travel.com, you are now authed > 5. You book your ticket safely > > The phishing scenario is this: > > 1. Log into travol.com using OpenID > 2. travol.com redirects you to BADopenid.com for you to enter your pwd. > BADopenid.com looks just like myopenid.com, you don't notice the > different URL and the lack of SSL session
na, na, na. that's the script kiddie scenario. EVILopenid.com uses a certificate --- if they can't get a valid one (though why wouldn't they), they'd generate one each day that is just one day past it's validity... > 3. You enter your valid OpenID password > 4. Now the bad guys have access to your OpenID account, and all the > services you use OpenID to authenticate with > > Mike > _______________________________________________ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev > -- dr dirk husemann ---- virtual worlds research ---- ibm zurich research lab SL: dr scofield ---- drscofi...@xyzzyxyzzy.net ---- http://xyzzyxyzzy.net/ RL: h...@zurich.ibm.com - +41 44 724 8573 - http://www.zurich.ibm.com/~hud/ _______________________________________________ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev