...
Title | Proposer | Description | Supporter (+1) |
---|---|---|---|
Scalable testing for insecure SAML signature validation | Thijs Kinkhorst (SURF) | The SAML 2.0 protocol relies on XML signatures as the foundation of its security. A SAML assertion is signed with XMLDsig and the SP must properly validate this signature. If it does not, basically anyone in the world can trivially provide it with assertions thereby logging in as anyone, which also cannot be easily detected or even seen by the IdP. XMLDsig (and SAML) is notoriously complex and allows for many ways to create one or more signatures for any document. This makes that an implementation can easily fall victim to accepting not properly signed data - and even common implementations in our world like Shibboleth and SimpleSAMLphp have had issues here in the past. Besides these common products, which at least are periodically audited for such problems, a much larger risk is custom implementations that use different or even home grown libraries. Most of the times, the happy path is tested (does login work), but the unhappy path (do invalid assertions fail), not so much. Given the paramount importance of signature validation, we should have a way to test whether SPs check signatures correctly. Although this can be done manually already, what's lacking is a scalable way that can test e.g. eduGAIN-like size of service providers (repeatedly) and for a large proportion of that set, determine if signatures are processed correctly. This requires to devise tests to fire off at these SPs and heuristics to determine automatically whether the tests passed or failed.
| Peter Brand (ACOnet) Anass Chabli (RENATER) |
Automation of | Mario Reale (GÉANT) | While supporting new federations in setting up their infrastructures, IdPs and SPs, generally speaking, we still do not have much automation in place. All is done, still very manually, and takes much time. Talking specifically of the SPs, both for the installation and configuration of the services themselves, and the required operations to federate them (i.e. make them fully functional SAML2 Service Providers), in order to be able to provide them in a federated (e.g.eduAGAIN) fashion, pretty much all is still left to manual set up. It would be useful to enhance the level of support we provide to them with the aim of quickly being able to deploy an initial set of services, the ones which could de-facto start to attract users towards the newly deployed federation infrastructure and the federated IdPs. The idea here is to propose a new cycle of T&I incubator task activities aimed at the following tasks:
| Davide Vaghetti (GARR) |
Simple IdM software tailored for R&E institutions | François Kooman (DeiC) | Deploying IdM software from scratch in R&E context is not easy. There are many moving parts, like LDAP, RADIUS, OIDC, SAML that all require their own installation, setup, configuration and maintenance. Existing solutions are usually a combination of expensive, outdated, complicated, offer limited functionality, not well-matched for R&E requirements, difficult to install, operate, update or deploy securely. Most solutions are focused on big enterprise deployments with thousands of users, but small(er) organizations are left without an and easy to deploy IdM. What is needed is software that makes it very easy for small to medium organizations to host and deploy their own IdM which requires minimal babysitting and is easy to configure through the web by designated administrators. What if you could simply install the software in ~5 minutes and configure it through the web interface in 5 more minutes and updating wouldn't be more complicated than running "apt upgrade" without having to worry about breaking your setup? More details on the proposal can be found here: https://cryptpad.fr/pad/#/2/pad/view/H9LhKlsbHVmYYptrQnTzOwRmlfRrVGeV5PnBowJZpvg/ | Anass Chabli (RENATER) Arnout Terpstra (SURF) |
Investigate Google WEI & Apple Private Access Tokens | Mihály Héder (KIFÜ/SZTAKI) | Google Web Environment Integrity is a method for websites to verify that the client platform (User Agent a.k.a. browser + operating system) is indeed genuine and has not been "tampered with". https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md The proposal has received strong criticism, the interlocutors mostly claim that it is just a harmful way of achieving DRM. For a summary, see the Wikipedia entry: https://en.wikipedia.org/wiki/Web_Environment_Integrity The insight of the CEO of Vivaldi browser is especially interesting: they apparently already need to spoof the user agent string in order to be able to use Google Docs, despite the fact that Vivaldi is based on chromium. By the proposers it is purported to be a replacement of browser fingerprint-based anti abuse methods. They also claim that it is a better alternative than Apple's Similar Private Access tokens, another attestation scheme that works between Apple devices and Cloudflare. They also claim in defense of WEI that they may help sunsetting the increasingly useless CAPTCHAs. WEI is already supported by Chrome on Android. |