Sunday, September 17, 2006
RSnake, funny and insightful
For some reason this left me laughing for a good minute. Then for the life of me I couldn't figure out why no one noticed this before.
"Let’s say company-a.com has a website that you authenticate to. By virtue of single sign-on you are now authenticated to company-b.com. Now suddenly, CSRF via XSS in company-a.com that exploits company-b.com and would normally fail on company-b.com (becauuse previously I wasn’t logged in there) now functions. " ... "I’m in without even trying."
RSnake's exactly right. I hadn't run into SSO in so long, I forgot about this problem.
"The peril in single sign-on is that the least common denominator dictactes a large portion of the security for all members of the authentication network."
This also sounds a lot like the same issue Lex raised when considering email security to be more important than bank security. Essentially your off loading security to another entity and are you OK with that?