Yes, provided the adversary can validate the intercepted ST before it is invalidated by usage or timeout. It might be annoying in practice to execute the exploit fast enough for it to work, but that's different from ST transport being secure in principle by use of SSL. :)
On 09/30/2011 08:45 AM, [email protected] wrote: > On Sep 29, 2011, at 3:05 PM, Andrew Petro wrote: > > > It is the case that an adversary intercepting a service ticket and > then validating it against the attribute-release-supporting SAML > endpoint in CAS is sufficient to lay hands on whatever user attributes > would be released to the legitimate application for which the ST was > intended. > > Provided they could: 1) block the intended recipient from receiving > the ticket or 2) beat the intended recipient in a race to use the > ticket or 3) block the recipient from using the ticket against the CAS > server? Or is there something I'm missing there. > > Thanks for the explanation on proxy security, btw. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
