[ISN] Risks of the Passport Single Signon Protocol

From: InfoSec News (isnat_private)
Date: Mon Aug 06 2001 - 01:16:04 PDT

  • Next message: InfoSec News: "[ISN] Interesting Media Roundup on The Truth of CodeRed"

    http://avirubin.com/passport.html
    
    David P. Kormann and Aviel D. Rubin
    AT&T Labs - Research
    180 Park Avenue
    Florham Park, NJ 07932
    {davek,rubin}@research.att.com
    
    Abstract
    
    Passport is a protocol that enables users to sign onto many different
    merchants' web pages by authenticating themselves only once to a
    common server. This is important because users tend to pick poor
    (guessable) user names and passwords and to repeat them at different
    sites. Passport is notable as it is being very widely deployed by
    Microsoft. At the time of this writing, Passport boasts 40 million
    consumers and more than 400 authentications per second on average. We
    examine the Passport single signon protocol, and identify several
    risks and attacks. We discuss a flaw that we discovered in the
    interaction of Passport and Netscape browsers that leaves a user
    logged in while informing him that he has successfully logged out.
    Finally, we suggest several areas of improvement.
    
    Keywords:  Web Security, Single Signon, Authentication, E-commerce
    
    [...]
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 03:15:40 PDT