OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Any security issue with using SPNEGOto perform single-sign-on?

From: Paul Johnston (paulwestpoint.ltd.uk)
Date: Wed Mar 23 2005 - 07:07:37 CST

Hi,

In principle I would worry that there's a risk of phishing style attacks
where users are lured to visit a fake site, which harvests their
details. Now, I think this is mitigated, because credentials are only
given to sites in the intranet zone, and the server name is included in
the kerberos principal. But still, this is an attack angle I'd give some
thought. For example, can an attacker who has harvested a single ticket
then perform an offline password brute force attack?

I agree, CSRF is a problem with any authentication scheme where the
browser automatically attached the credentials. For now you'll have to
rely on the application-layer workaround of having random tokens in
forms. I've just been musing that browsers could provide this protection
with a simple rule: for POST requests, where the originating form is a
different (hostname, protocol) to the target, do not attach any
credentials. Provided people followed the HTTP spec (i.e. only do
actions on POST requests), this would provide decent protection and I
don't think it would break much.

A general worry I have is SSO is that there is no longer a logout
function. It's considered good practice to provide a logout function, so
a user can be reasonably sure their session really has finished and no
further actions can occur. I guess the browser could do this - it would
prompt the first time it sends credentials to a site, after that
automatically send credentials without asking, until the user selects
some kind of logout function. I don't think any browsers support this,
but it could work.

Regards,

Paul

Saqib Ali wrote:

>I was wondering if anyone has encountered any security concern/issues
>while implementing SPNEGO <
>http://www.vintela.com/resources/topics/spnego/ >. SPNEGO provides a
>single-sign-on in a KERBEROS enabled environment. Basically it allows
>web applications to automatically authenticate clients who have valid
>Kerberos credentials.
>
>I am planning to install the mod_spnego module on a apache server,
>that will enable the client to single-sign-on to our internal
>application, if they are part of our AD.
>
>I possible concern is the increase of CSRF type of attacks, but that
>is the case with any single-sign-on solution.
>
>
>

--
Paul Johnston, GSEC
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paulwestpoint.ltd.uk
web: www.westpoint.ltd.uk