Interesting. In the CAS scheme, the login server redirects the browser back to the client website, with a unique ticket. The client website then calls back to the login server to verify the ticket is legitimate, and the login server responds with the username and other metadata.
Since the login server never redirects with a ticket to any site but one of its whitelisted client websites, and always with https, and the client website always uses https to call back to the login server, I don't see a risk of man-in-the-middle attack there so far. But I could be missing something. On Fri, Feb 6, 2015 at 6:36 PM, Mark Montague <m...@catseye.org> wrote: > On 2015-02-06 17:11, Tom Boutell wrote: >> >> One of the key differences between Cosign and CAS seems to be the >> implementation of separate SSL certificates for Cosign's back-channel. >> I'm curious what the improvement in security is there. It could be >> left over from the era when the public sites might not be using https, >> or it could have a larger benefit that just isn't clear to me yet. > > > What Liam said: on virtually all of our web servers we use the same > certificate for connecting to the central weblogin servers that we use for > HTTPS. As for the improvement to security, the certificates are needed to > be sure that the client web server is talking to the real central weblogin > servers, that there is no man in the middle eavesdropping on or modifying > the traffic, and so that the central weblogin servers know that they are > talking to a legitimate client web server belonging to the institution > rather than random machines. > > -- > Mark Montague > m...@catseye.org > -- THOMAS BOUTELL, DEV & OPS P'UNK AVENUE | (215) 755-1330 | punkave.com ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
