---------- Forwarded message ---------- Date: Mon, 6 Aug 2001 17:48:57 -0400 From: Any Mouse Subject: Inferno: Fw: Risks of the Passport Single Signon Protocol ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, August 06, 2001 4:49 PM Subject: Risks of the Passport Single Signon Protocol > Risks of the Passport Single Signon Protocol > by David P. Kormann and Aviel D. Rubin > > Passport is a protocol that enables users to sign onto many different > merchants' web pages by authenticating themselves only once to a common > server. This is important because users tend to pick poor (guessable) user > names and passwords and to repeat them at different sites. Passport is > notable as it is being very widely deployed by Microsoft. At the time of this > writing, Passport boasts 40 million consumers and more than 400 > authentications per second on average. We examine the Passport single signon > protocol, and identify several risks and attacks. We discuss a flaw that we > discovered in the interaction of Passport and Netscape browsers that leaves > a user logged in while informing him that he has successfully logged out. > Finally, we suggest several areas of improvement. > > http://avirubin.com/passport.html > > -- > Elias Levy > SecurityFocus.com > http://www.securityfocus.com/ > Si vis pacem, para bellum
