[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune againstman-in-the-middle attack
Hello, I'd like to point out that man-in-the-middle attack is still possible with this profile (I suppose some are aware about this, as it is stated in the document "virtually eliminates man-in-the-middle attacks"). If an attacker can sit in the middle of both connections (to IdP & SP), it could act as a proxy, and use its own key in both cases, which will be consistent with the SAML request. The only solution is to use a known key to connect to the IdP (with an official certificate), which poses a privacy problem, as you will be obliged to connect to the SP with your "official" credentials. Any envisioned work on this (double key authentication or equivalent)? Thanks, Marc Stern Senior Consultant - Security Group Head Approach Belgium - http://www.approach.be Avenue Einstein, 2A - B-1348 Louvain-la-Neuve - Belgium Disclaimer_____________________________________________________________________________ |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]