Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Any security issue with using SPNEGOto perform single-sign-on?

from [Paul Johnston] Network Security [Permanent Link]
Subject: Re: Any security issue with using SPNEGOto perform single-sign-on?
Date: Wed, 23 Mar 2005 13:07:37 +0000 
Hi,

In principle I would worry that there's a risk of phishing style attacks where users are lured to visit a fake site, which harvests their details. Now, I think this is mitigated, because credentials are only given to sites in the intranet zone, and the server name is included in the kerberos principal. But still, this is an attack angle I'd give some thought. For example, can an attacker who has harvested a single ticket then perform an offline password brute force attack?

I agree, CSRF is a problem with any authentication scheme where the browser automatically attached the credentials. For now you'll have to rely on the application-layer workaround of having random tokens in forms. I've just been musing that browsers could provide this protection with a simple rule: for POST requests, where the originating form is a different (hostname, protocol) to the target, do not attach any credentials. Provided people followed the HTTP spec (i.e. only do actions on POST requests), this would provide decent protection and I don't think it would break much.

A general worry I have is SSO is that there is no longer a logout function. It's considered good practice to provide a logout function, so a user can be reasonably sure their session really has finished and no further actions can occur. I guess the browser could do this - it would prompt the first time it sends credentials to a site, after that automatically send credentials without asking, until the user selects some kind of logout function. I don't think any browsers support this, but it could work.

Regards,

Paul


Saqib Ali wrote:

I was wondering if anyone has encountered any security concern/issues
while implementing SPNEGO <
http://www.vintela.com/resources/topics/spnego/ >.  SPNEGO provides a
single-sign-on in a KERBEROS enabled environment. Basically it allows
web applications to automatically authenticate clients who have valid
Kerberos credentials.

I am planning to install the mod_spnego module on a apache server,
that will enable the client to single-sign-on to our internal
application, if they are part of our AD.

I possible concern is the increase of CSRF type of attacks, but that
is the case with any single-sign-on solution.




--
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@westpoint.ltd.uk
web: www.westpoint.ltd.uk

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Antwort: Re: clear-text passwords in shell/perl scripts, Carsten Kuckuk
Next by Date:  RE: clear-text passwords in shell/perl scripts, Ofer Shezaf
Previous by Thread:  Any security issue with using SPNEGOto perform single-sign-on?, Saqib Ali
Next by Thread:  clear-text passwords in shell/perl scripts, Jeff Robertson
Indexes:  [Date] [Thread] [Top] [All Lists]