Analysis of a Privacy Vulnerability in the OpenID Authentication Protocol
暂无分享,去创建一个
This paper studies the privacy risks for the users of the OpenID Single Sign-On (SSO) mechanism. A privacy vulnerability in the OpenID Authentication Protocol that leads to the exposure of the OpenID user identifier to third parties is described in detail. It has been verified that many existing OpenID agents are currently leaking the (potentially unique) OpenID identifiers of their users to third parties, like advertisement and traffic analysis companies. Therefore we consider this vulnerability as a real and widespread privacy risk for OpenID users. Thus, this paper also studies the solution space of this problem and defines a number of possible countermeasures. After analyzing their advantages and drawbacks, we finally propose two solutions to this problem, one for the long term to avoid the root cause of the vulnerability, and another short-term mitigation.
[1] Eric Rescorla,et al. Diffie-Hellman Key Agreement Method , 1999, RFC.
[2] Roy T. Fielding,et al. Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.
[3] S. Hadjiefthymiades,et al. Hypertext Transfer Protocol (HTTP) , 1996 .