OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Web-browser Binding Vulnerabilities + "Cures"

The following does IMO apply to many schemes including S2ML:

The use of references to assertions etc. in the form of URLs which are usually given to an
authenticated client by a credential issuer using an HTTP 301 (redirect) has at least one
problem: A credential consumer cannot easily determine if it is the original client that
handed over the URL containing such a reference. A simple browser URL window
snooper program could "snatch" such tokens and transport them to somebody else.
In spite of secure https transports.

The only "cures" I can think of are putting the critical data in a cookie [sorry :-( ], which requires a
fairly deep browser hack [open source would make it trivial though :-) ] to snatch, and IP bindings.
The latter is not universal due to proxies (all clients on the same proxy looks like one IP for the credential
consumer) etc. but it does improve the binding a bit.

Note: I don't insist that the current binding scheme should be changed, this is simply "information".


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC