Robert, The specific JSP pages do not do anything additional to prevent phishing attempts. However, the more flexible nature of the Login process via Web Flow can allow you to provide a richer interaction if desired (similar to how someone like INGDirect takes in a username and then displays some image that you specified and then asks for the password). The latest JSP pages also utilize the Spring Form tags by default which give an example of redisplaying user-provided content safely (i.e. refilling a field with a username).
We also encourage deployers to educate their users that they should only be providing their username/password to the URL that designates the CAS server. -Scott On 10/19/07, Robert Lewis <[EMAIL PROTECTED]> wrote: > > > Scott wrote: > "deployers should be aware of phishing attempts and may wish to employ > additional > measures to decrease the likelihood of a successful attack" > > Hi Scott, > Does the new login design of cas3.0, as compared to cas2, make "phishing" > more difficult? If not, what sort of additional measures would be needed > to > work against phishing attacks? > > Thanks. > > > scott_battaglia wrote: > > > > As stated, yes, we do recommend the deployer utilize an iframe *if* > their > > ultimate goal is to embed the login page on their applications pages. > > Utilizing an iframe will allow the deployer to still participate in > single > > sign on (which would eliminate unnecessary login > forms). Screen-scraping > > and form submission introduces unnecessary work as well as being > > exceptionally brittle. > > > > This does not mean we are changing our stance that we recommend > deployers > > follow the traditional CAS redirect protocol. Nowhere have we stated > > otherwise. However, we are aware that deployer's plans may not always > fit > > well with the traditional CAS redirect protocol, and thus we do have > > recommendations on how best to utilize CAS in these non-traditional > > settings. > > > > As evidenced by the increasing number of successful phishing attacks > which > > appear to work regardless of the craziness of the provided URL, > deployers > > should be aware of phishing attempts and may wish to employ additional > > measures to decrease the likelihood of a successful attack regardless of > > whether they embed the login form or redirect the login form. > > > > -Scott > > > > On 2/26/07, Jason Shao <[EMAIL PROTECTED]> wrote: > >> > >> Scott Battaglia wrote: > >> > We don't recommend screen scraping (as your application would need to > >> > be updated if the login page changed). What we do recommend is that > >> > you create a minimal login screen and change the last redirect of the > >> > login flow to use JavaScript to handle the redirect. Then embed this > >> > minimal login screen on your application pages with an iframe. This > >> > would allow you to keep your existing login page (though they would > be > >> > formatted slightly different depending on how you format the minimal > >> > login screen) and still allow you to participate in single sign on. > >> > > >> > Its very similar to Google Accounts. > >> Is embedding the login page inside an iFrame a practice the community > >> wants to recommend? It seems to open yourself up to social engineering > >> and phishing attacks, since even the minimal protection offered by > users > >> looking at the location bar's URL is no longer available. One of CAS's > >> potential benefits would seem to be discouraging users from typing > their > >> credentials into just any login box they see... > >> > >> Jason > >> > >> -- > >> > >> Jason Shao > >> Application Developer, Architecture & Engineering Team > >> Rutgers University - Enterprise Systems & Services > >> v. 732-445-2869 | f. 732-445-5493 | [EMAIL PROTECTED] > >> > >> _______________________________________________ > >> Yale CAS mailing list > >> [email protected] > >> http://tp.its.yale.edu/mailman/listinfo/cas > >> > > > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > > -- > View this message in context: > http://www.nabble.com/Keep-old-login-pages-tf3272909.html#a13296009 > Sent from the CAS Users mailing list archive at Nabble.com. > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
