[sldev] [POLICY] Development by consensus (Re: Question regarding
upcoming maintenance on 11/27-
dirk husemann
hud at zurich.ibm.com
Wed Nov 28 04:30:07 PST 2007
Callum Lerwick wrote:
> On Tue, 2007-11-27 at 19:46 +0000, Matthew Dowd wrote:
>
>> This claim is constantly made with no justification. The only know
>> phishing attempt involving the grid was when someone managed to craft
>> a URL to cause the client to logon to a third party server. The
>> correct solution to that would be to use MD5 Challenge Response so
>> that the password is never sent to the authenticating server
>> (worringly in Sabin's summary of the meeting, he completely missed the
>> raison d'etre behind MD5 challenge response).
>>
>
> You keep making THIS claim, which seems to be bullshit. As I discovered
> with the Fedora 8 curl bug, packet sniffing confirms the client DOES
> authenticate over SSL. And it better be properly checking the server
> certificate. If so, the client will NOT send your password to a non-LL
> server.
>
hmm...it does seem to send passwords to OpenSim servers...at least i've
never seen the client become concerned about that...
--
dr dirk husemann, pervasive computing, ibm zurich research lab
--- hud at zurich.ibm.com --- +41 44 724 8573 --- SL: dr scofield
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20071128/c34191af/attachment-0001.htm
More information about the SLDev
mailing list