Dark Lords of the Internet
In last week’s Covert Redirects and Perverse Incentives I described an open redirect vulnerability in the OAuth protocol which social login providers may not fix because it would require locking out third parties with slack security practices but lucrative business… Continue reading
Covert OAuth Redirects and Perverse Incentives
Covert redirect is a structural vulnerability in OAuth-based protocols. It was widely publicized in early May. Identity and security experts had long known about, but don’t have an easy fix. Once the media learned covert redirect isn’t as serious… Continue reading
Managing OAuth Risks in Mobile Applications
When, not if, endpoints get compromised OAuth tokens and other credentials become collateral damage. That means cyber-attackers may also compromise any resources available through OAuth 2.0, such as accounts at sites accessed through some social login systems or (potentially) HIPAA-protected… Continue reading
Proposed OAuth 2.0 Assurance Session at IIW
As the morning dawns on the Mountain View Computer History Museum in California, the Internet Identity Workshop (IIW) will begin and I’ll propose an “unconference” session on OAuth assurance. As some of you know and others may see from the… Continue reading
Federated Identity: Broad or Strong?
Broad deployments of federated identity have arrived in the form of social login. But in 2013 we find federation on the horns of a dilemma; can it be both broad and strong?
Federated identity, especially in the form OAuth… Continue reading
Social Login Systems May Share too Much
You thought you heard a click behind that site’s “Sign in with Facebook” button. But did you also hear the inaudible sigh of your personal data disappearing into the maw of yet another application?
Social login is the ability to… Continue reading
Back to the Future (of Federation)
I recently developed a “history of federated identity” diagram and marveled at how it was similar, in many ways, to slides I created while working at Burton Group in 2004. Let’s take a look at a few diagrams and see… Continue reading