IP: Risks of the Passport Single Signon Protocol

[David Farber <dave () farber net>]

> From: "the terminal of Geoff Goodfellow" <geoff () iconia com>
> To: "Dave E-mail Pamphleteer Farber" <farber () cis upenn edu>
> Subject: Risks of the Passport Single Signon Protocol
> Date: Mon, 6 Aug 2001 10:02:40 +0200
>
> Risks of the Passport Single Signon Protocol
> David P. Kormann and Aviel D. Rubin
> AT&T Labs - Research
> 180 Park Avenue
> Florham Park, NJ 07932
> {davek,rubin}@research.att.com
>
> Abstract
>
> Passport is a protocol that enables users to sign onto many different
> merchants' web pages by authenticating themselves only once to a common
> server. This is important because users tend to pick poor (guessable) user
> names and passwords and to repeat them at different sites. Passport is
> notable as it is being very widely deployed by Microsoft. At the time of
> this writing, Passport boasts 40 million consumers and more than 400
> authentications per second on average. We examine the Passport single signon
> protocol, and identify several risks and attacks. We discuss a flaw that we
> discovered in the interaction of Passport and Netscape browsers that leaves
> a user logged in while informing him that he has successfully logged out.
> Finally, we suggest several areas of improvement.
>
> Keywords:  Web Security, Single Signon, Authentication, E-commerce
>
> http://avirubin.com/passport.html
>
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> geoff.goodfellow () iconia com, Prague CZ * tel/mobil +420 (0)603 706 558
> "success is getting what you want & happiness is wanting what you get"
> http://www.nytimes.com/library/tech/99/01/biztech/articles/17drop.html



For archives see: http://www.interesting-people.org/