[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[DotGNU]On Security Risks for Single Sign-on
From: |
Jean Camp |
Subject: |
[DotGNU]On Security Risks for Single Sign-on |
Date: |
Wed, 8 Aug 2001 17:39:44 +0100 |
No brain surgery in there, but dotgnu removes the single point of
attack and also the cookies problem. Of course no system can fix the
trojan window problem described by Alma Whitten of CMU.
http://avirubin.com/passport.html
"As just mentioned, one of the constraints of Passport is that it was
designed to use existing web technologies, so that clients and
servers need not
be modified. The protocol leverages HTTP redirects, Javascript,
cookies, and SSL. While Javascript is not absolutely required, it is
highly
recommended. Some of the attacks described below result from some
fundamental problems with security on the web, and in particular, the
public
key infrastructure that is built into browsers. As such, they are not
specific to Passport, but nonetheless represent risks of using that
system (and
any system subject to these constraints). "
--
This message in no way represents the opinions of Harvard. Any
opinions, thoughts, and misspellings are entirely my own. The
contents of this message authored by Jean Camp are copyrighted, Camp,
on the date of transmittal.