Risks of the Passport Single Signon Protocol

[InfoSec News <isn () c4i org>]

http://avirubin.com/passport.html

David P. Kormann and Aviel D. Rubin
AT&T Labs - Research
180 Park Avenue
Florham Park, NJ 07932
{davek,rubin}@research.att.com

Abstract

Passport is a protocol that enables users to sign onto many different
merchants' web pages by authenticating themselves only once to a
common server. This is important because users tend to pick poor
(guessable) user names and passwords and to repeat them at different
sites. Passport is notable as it is being very widely deployed by
Microsoft. At the time of this writing, Passport boasts 40 million
consumers and more than 400 authentications per second on average. We
examine the Passport single signon protocol, and identify several
risks and attacks. We discuss a flaw that we discovered in the
interaction of Passport and Netscape browsers that leaves a user
logged in while informing him that he has successfully logged out.
Finally, we suggest several areas of improvement.

Keywords:  Web Security, Single Signon, Authentication, E-commerce

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.