C3Subtitles: 33c3: On the Security and Privacy of Modern Single Sign-On in the Web
back

On the Security and Privacy of Modern Single Sign-On in the Web

(Not Only) Attacks on OAuth and OpenID Connect

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
01:04:04
Language
English
Abstract
<p>Many web sites allow users to log in with their Facebook or Google account. This so-called Web single sign-on (SSO) often uses the standard protocols OAuth and OpenID Connect. How secure are these protocols? What can go wrong?</p>

<p>OAuth and OpenID Connect do not protect your privacy at all, i.e., your identity provider (e.g., Facebook or Google) can always track, where you log in. Mozilla tried to create an authentication protocol that aimed to prevent tracking: BrowserID (a.k.a. Persona). Did their proposition really solve the privacy issue? What are the lessons learned and can we do better?</p>

<p>Most ordinary web users have accounts at (at least) one of the big players in the web: Facebook, Google, Microsoft (Hotmail, Live), or even Yahoo. Also, many of these users are always logged in at some web sites of these companies. For web sites by other parties, it seems convenient to just re-use this already established authentication: They do not need to annoy the user with registration and login, and these web sites also do not need to maintain and protect an authentication database on their own. This is where SSO protocols come into play -- most times OAuth 2.0 or OpenID Connect. Both protocols have in common that they even require that the identity providers track where users log in. The only attempt so far, that tried to do better to protect the user's privacy, is Mozilla's BrowserID (a.k.a. Persona).</p>

<p>We have analyzed these SSO protocols and discovered various critical attacks that break the security of all three protocols and also break the privacy promise of BrowserID. In our research, however, we aim to get positive security proofs for such SSO systems: We will discuss fixes and redesigns and whether it is possible to create a secure and privacy-respecting SSO.</p>


<p>Contents of the talk:
<ul>
<li>How do OAuth, OpenID Connect, and BrowserID protocols work?</li>
<li>Attacks on these protocols!</li>
<li>Can we make SSO great again?</li>
</ul></p>

Talk ID
7827
Event:
33c3
Day
2
Room
Saal G
Start
6:30 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Guido Schmitz (gtrs)
dfett