Shibboleth Developers

[Etienne Dysli <>]

Jim Fox wrote:
> Our login screen has one button that says 'Log in'.  Possibly someone
> could be tricked into clicking that -- with an empty password.
> Seems like a lot of work on the attackers part for very little gain.
> I imagine the shib login screen is similar.

One could also fill the username/password fields and make browsers
bruteforce the IdP login page. I recommend reading Paul Stone's "Next
Generation Clickjacking" presentation at BlackHat Europe 2010
(https://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html#Stone)
for some nice attack ideas. ;)

> Most of our users don't use a really recent IE8, so the new header
> would do them no good.  It wouldn't hurt them either.  It would be
> nice to have a solution for everyone.

Firefox doesn't support it yet either (only with NoScript). Anyway I've
already deployed this (modified JSPs to send X-Frame-Options HTTP
header) and it didn't break my IdP.

> As far as the login page in an iframe:  If you do that the URL of
> the IdP doesn't show up anywhere, does it?  How would the user know
> this is the IdP's page and not a fake?  Why would someone do that?

I don't know why someone would do that except for malicious purposes,
but I've seen one SP that did frame the DS and the IdP pages...

To answer Patrik's question I think this would raise the security of
users because it removes one way they can be tricked. Moreover, it also
removes one attack vector on your IdP.

Regards,
  Etienne

Attachment: signature.asc
Description: OpenPGP digital signature