On the Security and Privacy of Modern Single Sign-On in the Web

(Not Only) Attacks on OAuth and OpenID Connect

Guido Schmitz (gtrs) and dfett

Playlists: '33c3' videos starting here / audio / related events

Many web sites allow users to log in with their Facebook or Google account. This so-called Web single sign-on (SSO) often uses the standard protocols OAuth and OpenID Connect. How secure are these protocols? What can go wrong?

OAuth and OpenID Connect do not protect your privacy at all, i.e., your identity provider (e.g., Facebook or Google) can always track, where you log in. Mozilla tried to create an authentication protocol that aimed to prevent tracking: BrowserID (a.k.a. Persona). Did their proposition really solve the privacy issue? What are the lessons learned and can we do better?


These files contain multiple languages.

This Talk was translated into multiple languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.

Please look for "audio tracks" in your desktop video player.