Educause Security Discussion mailing list archives
Re: Follow Up To Re: Campus Single Sign-On
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 25 Aug 2011 13:33:58 -0400
On Thu, 25 Aug 2011 16:48:38 -0000, "pmorley () mcdaniel edu" said:
We have gone ahead and made a decision as to the platform we will support. I'm not going to disclose it for security purposes,
You *do* realize the security obtained that way is somewhere between zero and none, right? Especially since any attacker that actually cares which one you use will be able to figure it out *really* fast anyhow? Aything from asking Google if it's indexed any of your IT News pages regarding the coming deployment, to getting a zombied system and having it hit a page and seeing what the SSO screen looks like, to.... In a related note - what are people doing with the whole SSO thing in a world where Vint Cerf claims 140 million zombied computers - what confidence level do you assign to an SSO session that it's *really* that user?
Attachment:
_bin
Description:
Current thread:
- Follow Up To Re: Campus Single Sign-On pmorley () mcdaniel edu (Aug 25)
- Re: Follow Up To Re: Campus Single Sign-On Valdis Kletnieks (Aug 25)