research-article

Risks of the Passport single signon protocol

Authors: David P Kormann,

Aviel D RubinAuthors Info & Claims

Volume 33, Issue 1

Pages 51 - 58

https://doi.org/10.1016/S1389-1286(00)00048-7

Published: 01 June 2000 Publication History

Abstract

Passport is a protocol that enables users to sign onto many different merchants' Web pages by authenticating themselves only once to a common server. This is important because users tend to pick poor (guessable) user names and passwords and to repeat them at different sites. Passport is notable as it is being very widely deployed by Microsoft. At the time of this writing, Passport boasts 40 million consumers and more than 400 authentications per second on average. We examine the Passport single signon protocol, and identify several risks and attacks. We discuss a flaw that we discovered in the interaction of Passport and Netscape browsers that leaves a user logged in while informing him that he has successfully logged out. Finally, we suggest several areas of improvement.

References

[1]

D. Dean, E.W. Felten and D.S. Wallach, Java security: from HotJava to Netscape and beyond, 1996 IEEE Symposium on Security and Privacy, 1996, pp. 190–200.

Google Scholar

[2]

I. Goldberg and E. Wagner, Randomness and the Netscape browser, Dr. Dobb’s J., 1996, pp. 66–70.

Google Scholar

[3]

J.G. Steiner, B.C. Neuman and J.I. Schiller, Kerberos: an authentication service for open network systems, Usenix Conference Proc., 1988, pp. 191–202.

Google Scholar

[4]

D. Wagner and B. Schneier, Analysis of the SSL 3.0 Protocol, The Second USENIX Workshop on Electronic Commerce Proc., 1996, pp. 29–40.

Google Scholar

Cited By

View all

Alaca FAbdou Avan Oorschot P(2021)Comparative Analysis and Framework Evaluating Mimicry-Resistant and Invisible Web Authentication SchemesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.290890718:2(534-549)Online publication date: 8-Mar-2021
https://dl.acm.org/doi/10.1109/TDSC.2019.2908907
Ferrag MMaglaras LArgyriou AKosmanos DJanicke H(2018)Security for 4G and 5G cellular networksJournal of Network and Computer Applications10.1016/j.jnca.2017.10.017101:C(55-82)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1016/j.jnca.2017.10.017
Ruoti SSeamons K(2017)End-to-End PasswordsProceedings of the 2017 New Security Paradigms Workshop10.1145/3171533.3171542(107-121)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.1145/3171533.3171542
Show More Cited By

Index Terms

Risks of the Passport single signon protocol

Index terms have been assigned to the content through auto-classification.

Recommendations

Risks of the passport single signon protocol
Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking
Exploring the protection of private browsing in desktop browsers

Desktop browsers have introduced private browsing mode, a security control which aims to protect users' data that are generated during a private browsing session by not storing them in the filesystem. As the Internet becomes ubiquitous, the existence of ...
A Novel Anonymous RFID Authentication Protocol Providing Strong Privacy and Security
MINES '10: Proceedings of the 2010 International Conference on Multimedia Information Networking and Security

As the radio frequency identification (RFID) technology continues to evolve and mature, RFID tags can be implemented in a wide range of applications. Due to the shared wireless medium between the RFID reader and the RFID tag, however, adversaries can ...

Comments

Information & Contributors

Information

Published In

cover image Computer Networks: The International Journal of Computer and Telecommunications Networking

Computer Networks: The International Journal of Computer and Telecommunications Networking Volume 33, Issue 1

Jun 2000

817 pages

ISSN:1389-1286

Issue’s Table of Contents

Publisher

Elsevier North-Holland, Inc.

United States

Publication History

Published: 01 June 2000

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

40
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Alaca FAbdou Avan Oorschot P(2021)Comparative Analysis and Framework Evaluating Mimicry-Resistant and Invisible Web Authentication SchemesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.290890718:2(534-549)Online publication date: 8-Mar-2021
https://dl.acm.org/doi/10.1109/TDSC.2019.2908907
Ferrag MMaglaras LArgyriou AKosmanos DJanicke H(2018)Security for 4G and 5G cellular networksJournal of Network and Computer Applications10.1016/j.jnca.2017.10.017101:C(55-82)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1016/j.jnca.2017.10.017
Ruoti SSeamons K(2017)End-to-End PasswordsProceedings of the 2017 New Security Paradigms Workshop10.1145/3171533.3171542(107-121)Online publication date: 1-Oct-2017
https://dl.acm.org/doi/10.1145/3171533.3171542
Zhao GBa ZWang XZhang FHuang CTang Y(2016)Constructing authentication web in cloud computingSecurity and Communication Networks10.1002/sec.12029:15(2843-2860)Online publication date: 1-Oct-2016
https://dl.acm.org/doi/10.1002/sec.1202
Mayer ANiemietz MMladenov VSchwenk JAhn GOprea ASafavi-Naini R(2014)Guardians of the CloudsProceedings of the 6th edition of the ACM Workshop on Cloud Computing Security10.1145/2664168.2664171(105-116)Online publication date: 7-Nov-2014
https://dl.acm.org/doi/10.1145/2664168.2664171
Zhao RYue CBertino ESandhu RBauer LPark J(2013)All your browser-saved passwords could belong to usProceedings of the third ACM conference on Data and application security and privacy10.1145/2435349.2435397(333-340)Online publication date: 18-Feb-2013
https://dl.acm.org/doi/10.1145/2435349.2435397
Yue CRowland C(2012)Preventing the revealing of online passwords to inappropriate websites with logininspectorProceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques10.5555/2432523.2432529(67-82)Online publication date: 9-Dec-2012
https://dl.acm.org/doi/10.5555/2432523.2432529
Kohlar FSchwenk JJensen MGajek S(2011)On Cryptographically Strong Bindings of SAML Assertions to Transport Layer SecurityInternational Journal of Mobile Computing and Multimedia Communications10.4018/jmcmc.20111001023:4(20-35)Online publication date: 1-Oct-2011
https://dl.acm.org/doi/10.4018/jmcmc.2011100102
Schwenk JKohlar FAmon MBhargav-Spantzel AGroß T(2011)The power of recognitionProceedings of the 7th ACM workshop on Digital identity management10.1145/2046642.2046656(63-72)Online publication date: 21-Oct-2011
https://dl.acm.org/doi/10.1145/2046642.2046656
Strahs BYue CWang H(2009)Secure passwords through enhanced hashingProceedings of the 23rd conference on Large installation system administration10.5555/1855698.1855705(7-7)Online publication date: 1-Nov-2009
https://dl.acm.org/doi/10.5555/1855698.1855705
Show More Cited By

Abstract

References

Cited By

Index Terms

Recommendations