An Approach for Mitigating Potential Threats in Practical SSO Systems

With the prosperity of social networking, it becomes much more convenient for a user to sign onto multiple websites with a web-based single sign-on (SSO) account of an identity provider website. According to the implementation of these SSO system, we classify their patterns into two general abstract models: independent SSO model and standard SSO model. In our research, we find both models contain serious vulnerabilities in their credential exchange protocols. By examining five most famous identity provider websites (e.g. Google.com and Weibo.com) and 17 famous practical service provider websites, we confirm that these potential vulnerabilities of the abstract models can be exploited in the practical SSO systems. With testing on about 1,000 websites in the wild, we are sure that the problem that we find is widely existing in the real world. These vulnerabilities can be attributed to the lack of integrity protection of login credentials. In order to mitigate these threats, we provide an integral protection prototype which help keeping the credential in a secure environment. After finishing the designation, we implement this prototype in our laboratory environment. Furthermore, we deploy extensive experiments for illustrating the protection prototype is effective and efficient.