[DotGNU]On Security Risks for Single Sign-on

dotgnu-general

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[DotGNU]On Security Risks for Single Sign-on

From:	Jean Camp
Subject:	[DotGNU]On Security Risks for Single Sign-on
Date:	Wed, 8 Aug 2001 17:39:44 +0100

No brain surgery in there, but dotgnu removes the single point ofattack and also the cookies problem. Of course no system can fix thetrojan window problem described by Alma Whitten of CMU.



http://avirubin.com/passport.html

"As just mentioned, one of the constraints of Passport is that it wasdesigned to use existing web technologies, so that clients andservers need notbe modified. The protocol leverages HTTP redirects, Javascript,cookies, and SSL. While Javascript is not absolutely required, it ishighlyrecommended. Some of the attacks described below result from somefundamental problems with security on the web, and in particular, thepublickey infrastructure that is built into browsers. As such, they are notspecific to Passport, but nonetheless represent risks of using thatsystem (and

any system subject to these constraints). "
--

This message in no way represents the opinions of Harvard. Anyopinions, thoughts, and misspellings are entirely my own. Thecontents of this message authored by Jean Camp are copyrighted, Camp,on the date of transmittal.

[Prev in Thread]

Current Thread

[Next in Thread]

[DotGNU]On Fighting patents, Antonio Ognio, 2001/08/04
- Re: [DotGNU]On Fighting patents, Norbert Bollow, 2001/08/07
- RE: [DotGNU]On Fighting patents, Brent Fulgham, 2001/08/07
  - [DotGNU]On Security Risks for Single Sign-on, Jean Camp <=
- Re: [DotGNU]On Fighting patents, TonStanco, 2001/08/07

Prev by Date: [DotGNU]Re: New project proposal system
Next by Date: Re: [DotGNU]Copyright waivers for developers?
Previous by thread: RE: [DotGNU]On Fighting patents
Next by thread: Re: [DotGNU]On Fighting patents
Index(es):
- Date
- Thread