.Nat Zone

Digital Identity et al.

「 security 」 一覧

On the XARA vulnerability on MacOS X and iOS

  2015/06/19    identity, OAuth, OpenID Connect ,

Just came across this article: Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X, by The Register. Since the news itself did not explain the nature of the attack well enough, I went onto reading the full paper: Xing, …

New vulnerability on OpenSSL found

  2014/06/06    security ,

A new bug in OpenSSL was found by Masashi Kikuchi of Lepidum. It affects all versions of OpenSSL earlier than 1.0.1. For details, please refer to: http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html and http://www.openssl.org/news/secadv_20140605.txt

no image

Covert Redirect is not new but.. A risk analysis and recommendations

So, there has been a flurry of worries induced by the CNET and other articles [1] about “Covert Redirect”. Like Leandro Boffi wrote in his blog post [2], this is not a new attack. It is an attack that has been …

Registered Token Profile for OAuth 2.0

  2012/08/03    identity, OAuth, OpenID Connect , , , ,

So, ID Token in OpenID connect is audience restricted to the client while the OAuth bearer access token is audience restricted to the protected resource. It is a bearer. It can be used by anybody. It is a common model …

no image

Analyzing Yahoo! Voices Password Leakage

Lot’s of articles appeared on the Yahoo! Voices’ password leakage on the 11th. Many people seem to be assuming that Yahoo!s password has been leaked, but to me it seems a little different. According to the press articles[1], it seem …

no image

Comments on Wang-Chen-Wang paper on OpenID Implementation Vulnerability

  2012/04/27    identity ,

In the paper titled “Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services“, Rui Wang, Shuo Chen, XiaoFeng Wang reported the “vulnerability” in some OpenID 2.0 implementations. The vulnerability they …

no image

BrowserID protects the privacy of your Web activity? Really?

  2011/07/21    identity , , ,

So, BrowserID is buzzing. In general, browser helping user to secure their login is a good thing. But, I have bunch of problem with the current state of BrowserID. I feel like it has gone back to the era of …