[sugar] XO identity shared via Browse
Luke Faraone
ffm246 at gmail.com
Thu Dec 4 11:39:19 EST 2008
Ever seen those popups that try to look like windows dialogs to get
you to install spyware? The same can be done here, and sugar doesn't
help by naming browse's spawned windows as "rainbow-daemon"...
The point is moot, however, because the user is simply giving his
authorization (not a password), and the jabber authentication messages
have to originate from the actual XO. (or machine with that JID).
-lf
On Dec 4, 2008, at 10:59, "Sebastian Silva"
<sebastian at fuentelibre.org> wrote:
> Second, and more importantly, if we do this right, his description of
> the problem does not bite us because a child is already logged in by
> the time he goes outside to the wild phishing monster filled world.
> If the fake OpenID sends you to a fake user/pass page (weren't we
> discussing passwordless?) - it should be suspicious since he'll know
> he's already logged in.
>
> Also, more importantly, if the login confirmation is done via the GUI
> (and not a website), then the problem is gone (how can you fake a
> sugar dialog from a website?).
-LF
More information about the Sugar
mailing list