Scott wrote: "deployers should be aware of phishing attempts and may wish to employ additional measures to decrease the likelihood of a successful attack"
Hi Scott, Does the new login design of cas3.0, as compared to cas2, make "phishing" more difficult? If not, what sort of additional measures would be needed to work against phishing attacks? Thanks. scott_battaglia wrote: > > As stated, yes, we do recommend the deployer utilize an iframe *if* their > ultimate goal is to embed the login page on their applications pages. > Utilizing an iframe will allow the deployer to still participate in single > sign on (which would eliminate unnecessary login forms). Screen-scraping > and form submission introduces unnecessary work as well as being > exceptionally brittle. > > This does not mean we are changing our stance that we recommend deployers > follow the traditional CAS redirect protocol. Nowhere have we stated > otherwise. However, we are aware that deployer's plans may not always fit > well with the traditional CAS redirect protocol, and thus we do have > recommendations on how best to utilize CAS in these non-traditional > settings. > > As evidenced by the increasing number of successful phishing attacks which > appear to work regardless of the craziness of the provided URL, deployers > should be aware of phishing attempts and may wish to employ additional > measures to decrease the likelihood of a successful attack regardless of > whether they embed the login form or redirect the login form. > > -Scott > > On 2/26/07, Jason Shao <[EMAIL PROTECTED]> wrote: >> >> Scott Battaglia wrote: >> > We don't recommend screen scraping (as your application would need to >> > be updated if the login page changed). What we do recommend is that >> > you create a minimal login screen and change the last redirect of the >> > login flow to use JavaScript to handle the redirect. Then embed this >> > minimal login screen on your application pages with an iframe. This >> > would allow you to keep your existing login page (though they would be >> > formatted slightly different depending on how you format the minimal >> > login screen) and still allow you to participate in single sign on. >> > >> > Its very similar to Google Accounts. >> Is embedding the login page inside an iFrame a practice the community >> wants to recommend? It seems to open yourself up to social engineering >> and phishing attacks, since even the minimal protection offered by users >> looking at the location bar's URL is no longer available. One of CAS's >> potential benefits would seem to be discouraging users from typing their >> credentials into just any login box they see... >> >> Jason >> >> -- >> >> Jason Shao >> Application Developer, Architecture & Engineering Team >> Rutgers University - Enterprise Systems & Services >> v. 732-445-2869 | f. 732-445-5493 | [EMAIL PROTECTED] >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- View this message in context: http://www.nabble.com/Keep-old-login-pages-tf3272909.html#a13296009 Sent from the CAS Users mailing list archive at Nabble.com. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
