Re: [ubuntu-in] [OT] OpenId Discussion
I think we have a misunderstanding here. You will _not_ have to provide any password when a site says LogIn using OpenID. You just have to paste a URL and then the user is redirected to the site of the OpenID provider where you choose to sign up (and hence you enter the password there). I think there is no question of middlemen here. If at all there is any such case, it is very much holds good when you are loggin in directly into the OpenID service provider (e.g. LiveJournal) This is a problem and a known issue. Hence, you see some times this mailing list or several others getting... Forbia has invited you to be his friend kind of mails. (which clearly is a act of ignorance) Also another way out is to have seperate email ids for mailing list subscriptions (But thats another topic completely) I will be very interested in further discussions on this topic. Thanks for starting such a thread. Regards, Aanjhan I'm just trying to understand how ANY user would trade away information like that so easily.. And want some people who have used these invitation services to tell us all what gave them the confidence to do so.. With one developer resources website , i had to enter my OpenId which wouldbe [EMAIL PROTECTED] and then the password.. I was redirected for authentication(agreed) but in between, i did send my info to the site.. I mean, from myside it would have been a mistake to trust the site.. But i was just testing something out so thats ok.. -- Jay Impossible Is Nothing http://www.amonks.in -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in
Re: [ubuntu-in] [OT] OpenId Discussion
On 8/13/08, Jayanth S [EMAIL PROTECTED] wrote: With one developer resources website , i had to enter my OpenId which wouldbe [EMAIL PROTECTED] and then the password.. .. which can be different than the one you use at the open provider. For example, let's say you're using [EMAIL PROTECTED] to login on ubuntu-in.org. You will need to sign in on the same browser at xyz.com, you need to remain signed in, so that the session is in progress and it can be identified by the provider that you're signed in from the same PC. Then you are asked if you want to allow ubuntu-in.org to allow using that openid provider and further optional details that you would like to divulge. The password you provide at ubuntu-in.org need not be the same as the one for [EMAIL PROTECTED] ubuntu-in.org will never know what password is being used at xyz.com. Thus, ubuntu-in.org doesn't have any extra information other than the one you provided. So, is the case with many of those spamming sites likes like twitter and so on. They can't have your password unless you explicitly give them. All those invites you see are from ignorant people who give away their passwords for a stupid reason. I am subscribed to twitter using the same email address that I am typing this email from. -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in
Re: [ubuntu-in] [OT] OpenId Discussion
With one developer resources website , i had to enter my OpenId which wouldbe [EMAIL PROTECTED] and then the password.. I was redirected for authentication(agreed) but in between, i did send my info to the site.. I mean, from myside it would have been a mistake to trust the site.. But i was just testing something out so thats ok.. OpenID is not supposed to work this way. The site which supports openid authentication never asks password. The way it works is like this. Let's see you need to login to ubuntu-in.org using openif provided by launchpad. 1. In the login box on ubuntu-in.org, you enter your launchpad openid. 2. You are redirected to launchpad. 3. If there is no existing session with launchpad, step 4 is executed else step 5 is executed. 4. Launchpad asks you for your username and password. 5. Launchpad asks whether you want ubuntu-in.org to identify you through launchpad. You also have options like only once or always. 6. Launchpad sends confirmation to ubuntu-in.org that you have been authenticated. 7. ubuntu-in.org creates a session for you. So no where in the process ubuntu-in.org asks you the password. Hope this helps. Onkar -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in
Re: [ubuntu-in] [OT] OpenId Discussion
Jayanth S wrote: I'm just trying to understand how ANY user would trade away information like that so easily.. And want some people who have used these invitation services to tell us all what gave them the confidence to do so.. Because people are not still aware of security, it's exploits and it's impact on their lives. If you ever watch over the kind of people who usually fall prey to those trade offs are not matured people who have been using Internet and various services available online. It's enthusiastic kids who do not care much about their online privacy and security. Second, these are also people who do not look before they leap. They do not realize that the site is just going to use their entire address book, which unfortunately also contains mailing list addresses. They do not realize that this will eventually result in his email account being used as a carrier for mass amount of spam. People who are aware of this, or have experienced the embarrassment once in their life time are more careful not to go for it. At the end of the day, it's all about awareness and I don't see an end to this until the social networking sites themselves stop this method (which won't also happen). With one developer resources website , i had to enter my OpenId which wouldbe [EMAIL PROTECTED] and then the password.. I was redirected for authentication(agreed) but in between, i did send my info to the site.. I mean, from myside it would have been a mistake to trust the site.. But i was just testing something out so thats ok.. If you fully understand how the OpenID mechanism works and have tried to implement a sample of it for yourselves, then you wouldn't be confused as you're. For your on your browser, it might be yanking of sites where you jump from your site-of-interest to site-of-authentication, then again back to your site-of-interest being authenticated in between. But internally it is fully secure that your information from the authentication site (say your SSH and PGP keys in Launchpad) have no way of being read by the site-of-interest as the authentication site only performs an authentication and send back an yes or no. The site-of-interest is just performing an auth check with the authentication site whether you are genuinely what you claim to be. When the reply is yes, you are allowed to access the site as what you claimed to be. All you provide to the target site of interest is the OpenID URL provided by the authentication site and no credentials such as username or password. Hence by no means the target site can steal info from the authentication site without your knowledge. Even if the target site saves that URL and tries later when your session is off, all it will get back is the authentication site's login window which the target site has no way of getting authenticated. Thus your privacy is secured. You may counter argue that there needs to be an authentication site/service, and you still need to enter username password there. But as of now, we need one such service for authentication and you may resort to use multiple authentication sites with different and strong passwords to protect yourselves. 100% security is a myth in this world, so you have to settle in for the most comfortable option you feel to be enough secure. -- --- With Regards, Parthan technofreak gpg 2FF01026 blog http://blog.technofreak.in -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in
Re: [ubuntu-in] [OT] OpenId Discussion
Because people are not still aware of security, it's exploits and it's impact on their lives. If you ever watch over the kind of people who usually fall prey to those trade offs are not matured people who have been using Internet and various services available online. It's enthusiastic kids who do not care much about their online privacy and security. Second, these are also people who do not look before they leap. They do not realize that the site is just going to use their entire address book, which unfortunately also contains mailing list addresses. They do not realize that this will eventually result in his email account being used as a carrier for mass amount of spam. People who are aware of this, or have experienced the embarrassment once in their life time are more careful not to go for it. At the end of the day, it's all about awareness and I don't see an end to this until the social networking sites themselves stop this method (which won't also happen). There is just more to it.. For me, my primary Gmail and my orkut accounts are not linked(For that very reason).. When we talk about security in general, such a simple app(Like the invite your gmail friends app) could read the entire history of this person.. From emails to blog posts to picasa to orkut everything.. I'm just added to what Parthan has mentioned.. -- Jay Impossible Is Nothing http://www.amonks.in -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in