OPT: Inferno: Fw: Risks of the Passport Single Signon Protocol (fwd)
Jim Choate
ravage at ssz.com
Mon Aug 6 15:14:16 PDT 2001
---------- Forwarded message ----------
Date: Mon, 6 Aug 2001 17:48:57 -0400
From: Any Mouse
Subject: Inferno: Fw: Risks of the Passport Single Signon Protocol
----- Original Message -----
From: <aleph1 at securityfocus.com>
To: <secpapers at securityfocus.com>
Cc: <www-mobile-code at securityfocus.com>
Sent: Monday, August 06, 2001 4:49 PM
Subject: Risks of the Passport Single Signon Protocol
> Risks of the Passport Single Signon Protocol
> by David P. Kormann and Aviel D. Rubin
>
> Passport is a protocol that enables users to sign onto many different
> merchants' web pages by authenticating themselves only once to a common
> server. This is important because users tend to pick poor (guessable) user
> names and passwords and to repeat them at different sites. Passport is
> notable as it is being very widely deployed by Microsoft. At the time of this
> writing, Passport boasts 40 million consumers and more than 400
> authentications per second on average. We examine the Passport single signon
> protocol, and identify several risks and attacks. We discuss a flaw that we
> discovered in the interaction of Passport and Netscape browsers that leaves
> a user logged in while informing him that he has successfully logged out.
> Finally, we suggest several areas of improvement.
>
> http://avirubin.com/passport.html
>
> --
> Elias Levy
> SecurityFocus.com
> http://www.securityfocus.com/
> Si vis pacem, para bellum
More information about the cypherpunks-legacy
mailing list