OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune againstman-in-the-middle attack


I'd like to point out that man-in-the-middle attack is still possible with this profile (I suppose some are aware about this, as it is stated in the document "virtually eliminates man-in-the-middle attacks"). If an attacker can sit in the middle of both connections (to IdP & SP), it could act as a proxy, and use its own key in both cases, which will be consistent with the SAML request.
The only solution is to use a known key to connect to the IdP (with an official certificate), which poses a privacy problem, as you will be obliged to connect to the SP with your "official" credentials.

Any envisioned work on this (double key authentication or equivalent)?

Marc Stern
Senior Consultant - Security Group Head
Approach Belgium - http://www.approach.be
Avenue Einstein, 2A   -    B-1348 Louvain-la-Neuve   -     Belgium

1. This message is intended for the use of the addressee only and may contain information that is privileged and confidential.
2. If you are not the intended recipient, you are notified that any dissemination of this Communication is strictly prohibited.
3. If you have received this communication in error, please notify us immediately by return of this e-mail.
4. E-mail quotations and proposals are for information only, and are subject to confirmation by the Signature of the appropriate contractual documentation by the authorized persons or both

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]