Identity/Security/Replay attacks

From MozillaWiki
Jump to: navigation, search

Assertion replay

Risks

  • If an assertion is captured by an attacker, it can be replayed to an RP to gain entry to that site and impersonate a user there.

Mitigations

  • assertions are only valid for 2 minutes
  • we recommend that sites send the assertion to their backend over HTTPS
  • verifiers could keep track of assertions they have seen in the last 2-3 minutes (verifier.login.persona.org doesn't do that)

Notes

Typically, on HTTP-only sites, attackers can already steal session cookies. The ability to create a new session after stealing an assertion is more useful since it allows the attacker to keep going after the real user logs out of the site with his/her session.