On the Security and Privacy of Modern Single Sign-On in the Web
Guido Schmitz (gtrs), dfett
Most ordinary web users have accounts at (at least) one of the big players in the web: Facebook, Google, Microsoft (Hotmail, Live), or even Yahoo. Also, many of these users are always logged in at some web sites of these companies. For web sites by other parties, it seems convenient to just re-use this already established authentication: They do not need to annoy the user with registration and login, and these web sites also do not need to maintain and protect an authentication database on their own. This is where SSO protocols come into play -- most times OAuth 2.0 or OpenID Connect. Both protocols have in common that they even require that the identity providers track where users log in. The only attempt so far, that tried to do better to protect the user's privacy, is Mozilla's BrowserID (a.k.a. Persona). We have analyzed these SSO protocols and discovered various critical attacks that break the security of all three protocols and also break the privacy promise of BrowserID. In our research, however, we aim to get positive security proofs for such SSO systems: We will discuss fixes and redesigns and whether it is possible to create a secure and privacy-respecting SSO. Contents of the talk: How do OAuth, OpenID Connect, and BrowserID protocols work? Attacks on these protocols! Can we make SSO great again?