Sunday, September 17, 2006

RSnake, funny and insightful


RSnake had a couple of recent posts a that really got me thinking (he tends to have that impact on readers). One post was on single sign-on (SSO) and the other about surfing without JavaScript.

"For instance, I was visiting what was essentially a hacked site that had a redirection built into a Flash movie. Here I was, with Flash and JavaScript and Java turned off and yet I was still getting redirected. What’s the deal? Well, after doing a little research it turns out that
Flashblock requires that JavaScript is turned on. So to turn off Flash, I have to have JavaScript turned on - how is that helping me?"

For some reason this left me laughing for a good minute. Then for the life of me I couldn't figure out why no one noticed this before.

"Let’s say company-a.com has a website that you authenticate to. By virtue of single sign-on you are now authenticated to company-b.com. Now suddenly, CSRF via XSS in company-a.com that exploits company-b.com and would normally fail on company-b.com (becauuse previously I wasn’t logged in there) now functions. " ... "I’m in without even trying."


RSnake's exactly right. I hadn't run into SSO in so long, I forgot about this problem.

"The peril in single sign-on is that the least common denominator dictactes a large portion of the security for all members of the authentication network."

This also sounds a lot like the same issue Lex raised when considering email security to be more important than bank security. Essentially your off loading security to another entity and are you OK with that?

No comments: