Interesting People mailing list archives
IP: Risks of the Passport Single Signon Protocol
From: David Farber <dave () farber net>
Date: Mon, 06 Aug 2001 04:12:01 -0400
From: "the terminal of Geoff Goodfellow" <geoff () iconia com> To: "Dave E-mail Pamphleteer Farber" <farber () cis upenn edu> Subject: Risks of the Passport Single Signon Protocol Date: Mon, 6 Aug 2001 10:02:40 +0200 Risks of the Passport Single Signon Protocol David P. Kormann and Aviel D. Rubin AT&T Labs - Research 180 Park Avenue Florham Park, NJ 07932 {davek,rubin}@research.att.com Abstract Passport is a protocol that enables users to sign onto many different merchants' web pages by authenticating themselves only once to a common server. This is important because users tend to pick poor (guessable) user names and passwords and to repeat them at different sites. Passport is notable as it is being very widely deployed by Microsoft. At the time of this writing, Passport boasts 40 million consumers and more than 400 authentications per second on average. We examine the Passport single signon protocol, and identify several risks and attacks. We discuss a flaw that we discovered in the interaction of Passport and Netscape browsers that leaves a user logged in while informing him that he has successfully logged out. Finally, we suggest several areas of improvement. Keywords: Web Security, Single Signon, Authentication, E-commerce http://avirubin.com/passport.html =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- geoff.goodfellow () iconia com, Prague CZ * tel/mobil +420 (0)603 706 558 "success is getting what you want & happiness is wanting what you get" http://www.nytimes.com/library/tech/99/01/biztech/articles/17drop.html
For archives see: http://www.interesting-people.org/
Current thread:
- IP: Risks of the Passport Single Signon Protocol David Farber (Aug 06)