[OpenID] About securing my OpenID
Alaric Dailey
alaricdailey at hotmail.com
Tue Jul 3 15:52:15 UTC 2007
I think he is actually talking about cookie stealing, which is still
possible. Besides, if the relying site falls for a spoof site, because the
tool kit doesn't force SSL or because of poorly constructed login
mechanisms, then fraudulent logons are still possible.
Biting my tongue so I don't rant.
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Evan Prodromou
Sent: Tuesday, July 03, 2007 08:23
To: openid-general
Cc: Mostafa
Subject: Re: [OpenID] About securing my OpenID
On Tue, 2007-03-07 at 10:59 +0300, Mostafa wrote:
> Hi, i sent long time ago asking about, what if i *trusted *some
> website *forever *, can any one, that don't have my openid login info
> , to use my OpenID in that website without my permission?
It depends on what you mean by "use" your OpenID. If you're asking whether
they can, for example, print your OpenID URL on a user page (see my user
page at Wikitravel: http://wikitravel.org/en/User:Evan - my OpenID is
printed right under the title) -- the answer is yes, they can.
But if you mean, can anyone use it to act as you on the Web site (post
comments as if you had posted them, for example), the answer is no. They
also can't use your OpenID to log into other Web sites.
-Evan
--
Evan Prodromou - evan at prodromou.name - http://evan.prodromou.name/
More information about the general
mailing list