Many web sites allow users to log in with their Facebook or Google account. This so-called Web single sign-on (SSO) often uses the standard protocols OAuth and OpenID Connect. How secure are these protocols? What can go wrong?
OAuth and OpenID Connect do not protect your privacy at all, i.e., your identity provider (e.g., Facebook or Google) can always track, where you log in. Mozilla tried to create an authentication protocol that aimed to prevent tracking: BrowserID (a.k.a. Persona). Did their proposition really solve the privacy issue? What are the lessons learned and can we do better?
Most ordinary web users have accounts at (at least) one of the big players in the web: Facebook, Google, Microsoft (Hotmail, Live), or even Yahoo. Also, many of these users are always logged in at some web sites of these companies. For web sites by other parties, it seems convenient to just re-use this already established authentication: They do not need to annoy the user with registration and login, and these web sites also do not need to maintain and protect an authentication database on their own. This is where SSO protocols come into play -- most times OAuth 2.0 or OpenID Connect. Both protocols have in common that they even require that the identity providers track where users log in. The only attempt so far, that tried to do better to protect the user's privacy, is Mozilla's BrowserID (a.k.a. Persona).
We have analyzed these SSO protocols and discovered various critical attacks that break the security of all three protocols and also break the privacy promise of BrowserID. In our research, however, we aim to get positive security proofs for such SSO systems: We will discuss fixes and redesigns and whether it is possible to create a secure and privacy-respecting SSO.
Contents of the talk:
- How do OAuth, OpenID Connect, and BrowserID protocols work?
- Attacks on these protocols!
- Can we make SSO great again?