Jayanth S wrote: > I'm just trying to understand how ANY user would trade away > information like that so easily.. And want some people who have used > these invitation services to tell us all what gave them the confidence > to do so.. Because people are not still aware of security, it's exploits and it's impact on their lives. If you ever watch over the kind of people who usually fall prey to those trade offs are not matured people who have been using Internet and various services available online. It's enthusiastic kids who do not care much about their online privacy and security. Second, these are also people who do not look before they leap. They do not realize that the site is just going to use their entire address book, which unfortunately also contains mailing list addresses. They do not realize that this will eventually result in his email account being used as a carrier for mass amount of spam. People who are aware of this, or have experienced the embarrassment once in their life time are more careful not to go for it. At the end of the day, it's all about awareness and I don't see an end to this until the social networking sites themselves stop this method (which won't also happen). > > With one developer resources website , i had to enter my OpenId which > wouldbe [EMAIL PROTECTED] and then the password.. I was redirected > for authentication(agreed) but in between, i did send my info to the > site.. I mean, from myside it would have been a mistake to trust the > site.. But i was just testing something out so thats ok.. If you fully understand how the OpenID mechanism works and have tried to implement a sample of it for yourselves, then you wouldn't be confused as you're. For your on your browser, it might be yanking of sites where you jump from your site-of-interest to site-of-authentication, then again back to your site-of-interest being authenticated in between. But internally it is fully secure that your information from the authentication site (say your SSH and PGP keys in Launchpad) have no way of being read by the site-of-interest as the authentication site only performs an authentication and send back an yes or no. The site-of-interest is just performing an auth check with the authentication site whether you are genuinely what you claim to be. When the reply is yes, you are allowed to access the site as what you claimed to be. All you provide to the target site of interest is the OpenID URL provided by the authentication site and no credentials such as username or password. Hence by no means the target site can steal info from the authentication site without your knowledge. Even if the target site saves that URL and tries later when your session is off, all it will get back is the authentication site's login window which the target site has no way of getting authenticated. Thus your privacy is secured.
You may counter argue that there needs to be an authentication site/service, and you still need to enter username password there. But as of now, we need one such service for authentication and you may resort to use multiple authentication sites with different and strong passwords to protect yourselves. 100% security is a myth in this world, so you have to settle in for the most comfortable option you feel to be enough secure. -- --- With Regards, Parthan "technofreak" <gpg> 2FF01026 <blog> http://blog.technofreak.in -- ubuntu-in mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-in
