[sugar] XO identity shared via Browse
Luke Faraone
luke at laptop.org
Thu Dec 4 11:40:34 EST 2008
Oops, sent from the wroong address:
On Dec 4, 2008, at 11:39, Luke Faraone <ffm246 at gmail.com> wrote:
> Ever seen those popups that try to look like windows dialogs to get
> you to install spyware? The same can be done here, and sugar doesn't
> help by naming browse's spawned windows as "rainbow-daemon"...
>
> The point is moot, however, because the user is simply giving his
> authorization (not a password), and the jabber authentication
> messages have to originate from the actual XO. (or machine with that
> JID).
>
> -lf
>
> On Dec 4, 2008, at 10:59, "Sebastian Silva"
> <sebastian at fuentelibre.org> wrote:
>> Second, and more importantly, if we do this right, his description of
>> the problem does not bite us because a child is already logged in by
>> the time he goes outside to the wild phishing monster filled world.
>> If the fake OpenID sends you to a fake user/pass page (weren't we
>> discussing passwordless?) - it should be suspicious since he'll know
>> he's already logged in.
>>
>> Also, more importantly, if the login confirmation is done via the GUI
>> (and not a website), then the problem is gone (how can you fake a
>> sugar dialog from a website?).
More information about the Sugar
mailing list