Vulnerability Development mailing list archives
Re: Single SignOn
From: zev.lavon () CHROMATIX COM (Zev Lavon)
Date: Fri, 25 Feb 2000 18:21:34 -0500
There are several other products that claim to implement a decent single sign on. They are: EnCommerce - getAccess Gradient- NetCrusader Netegrity Site Minder CyberSafe TrustBroker Dascom / Intraverse WebSEAL HP DomainGuard Do you happen to have any comparative information on just how well they are designed to protect against the scenario described below and whether any of them truly scaled well? Regards Zev Lavon -----Original Message----- From: Ben Grubin [SMTP:BGrubin () SCIENT COM] Sent: Thursday, February 24, 2000 1:21 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Single SignOn Good lord, I hope this saves you a lot of trouble. The enCommerce application is unbelievably shaky. Security wise, since it utilizes CORBA services in a multi-tier method, it becomes hellishly unhappy to firewall between the CORBA service providers and the clients (such as the Netscape Enterprise Server plugin), it's use of UDP also makes this challenging. More importantly though, they used CORBA without a real need---it's overly complex. We did a major ecommerce financial implementation, and found it's scalability *severely* lacking. We're probably 15 patchlevels ahead of the standard distribution, and even then it's the most common component failure in the entire system. At it's core, it's simply an immature product, much like the rest of the space, but it does have potential. I do not have experience with the IBM product to compare it. Hope it helps, Cheers, Ben --- Benjamin P. Grubin / bgrubin () scient com - PGP key available Infrastructure/Security Architect / mobile (617) 513-5978 fax (617) 585-3230 Scient -- Be Legendary / http://www.scient.com/ ticker://SCNT
-----Original Message----- From: Vanna P. Rella [mailto:vamprella () CHICKMAIL COM] Sent: Wednesday, February 23, 2000 2:22 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Single SignOn BlueBoar and Friends, I am evaluating 2 products for securing e-commerce applications. These are GetAccess by EnCommerce and Secure Net by IBM. Please break both of these products and let me know which one is more secure. Ok, just kidding. Have any of your heard of any gotchas or security holes with either of these products? I've already checked out the major vulnerability sites cve.mitre.org, securityfocus.com, attrition.org, ntbugtraq.com, etc. I've also checked the usenet. And I can't believe that there aren't any holes. What is the most popular e-commerce single sign-on out there, anyway? Thanks! --- Your Best Friend, Vamprella --- http://www.vamprella.com -- 1998 SN&R Award -- 1999 Losers Award http://www.TheGirlBox.com -- Get TheGirlBox and give her one less thing to complain about. "Worship Me and Await Instructions" *********************************** chickclick.com http://www.chickclick.com girl sites that don't fake it. http://www.chickmail.com sign up for your free email. http://www.chickshops.com boutique shopping from chickclick.com ***********************************
Current thread:
- Re: Single SignOn Ben Grubin (Feb 24)
- <Possible follow-ups>
- Re: Single SignOn Vanna P. Rella (Feb 24)
- Re: Single SignOn Ben Grubin (Feb 24)
- Re: Single SignOn Diane Davidowicz (Feb 25)
- IIS4 / WAP vulnerability? Bjørnar B. Larsen (Feb 25)
- Re: Single SignOn Zev Lavon (Feb 25)
- Re: Single SignOn Erwin Geirnaert (Feb 28)