{"guid":"7ef9172a-e2c7-4e78-9316-08449bd582c6","title":"On the Security and Privacy of Modern Single Sign-On in the Web","subtitle":"(Not Only) Attacks on OAuth and OpenID Connect","slug":"33c3-7827-on_the_security_and_privacy_of_modern_single_sign-on_in_the_web","link":"https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/7827.html","description":"\u003cp\u003eMany web sites allow users to log in with their Facebook or Google account. This so-called Web single sign-on (SSO) often uses the standard protocols OAuth and OpenID Connect. How secure are these protocols?  What can go wrong?\u003c/p\u003e\n\n\u003cp\u003eOAuth and OpenID Connect do not protect your privacy at all, i.e., your identity provider (e.g., Facebook or Google) can always track, where you log in. Mozilla tried to create an authentication protocol that aimed to prevent tracking: BrowserID (a.k.a. Persona). Did their proposition really solve the privacy issue? What are the lessons learned and can we do better?\u003c/p\u003e","original_language":"eng","persons":["Guido Schmitz (gtrs)","dfett"],"tags":["Security"],"view_count":2084,"promoted":false,"date":"2016-12-28T18:30:00.000+01:00","release_date":"2016-12-28T01:00:00.000+01:00","updated_at":"2026-01-09T12:15:22.882+01:00","length":3844,"duration":3844,"thumb_url":"https://static.media.ccc.de/media/congress/2016/7827-hd.jpg","poster_url":"https://static.media.ccc.de/media/congress/2016/7827-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2016/7ef9172a-e2c7-4e78-9316-08449bd582c6-timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2016/7ef9172a-e2c7-4e78-9316-08449bd582c6-thumbnails.vtt","frontend_link":"https://media.ccc.de/v/33c3-7827-on_the_security_and_privacy_of_modern_single_sign-on_in_the_web","url":"https://api.media.ccc.de/public/events/7ef9172a-e2c7-4e78-9316-08449bd582c6","conference_title":"33C3: works for me","conference_url":"https://api.media.ccc.de/public/conferences/33c3","related":[{"event_id":3615,"event_guid":"74783236-46f4-493c-9574-1b27a44847b7","weight":37},{"event_id":3636,"event_guid":"a1a52c4c-8233-403b-8f04-db981df016c1","weight":26},{"event_id":3656,"event_guid":"1a6657a2-b6c2-4acc-b8fc-5ec081c0877f","weight":42},{"event_id":3657,"event_guid":"4bff9cb3-9e91-4305-9029-f4d9053c7b5c","weight":32},{"event_id":3665,"event_guid":"e204268f-0cea-4a1f-bb38-e7d50496492e","weight":29},{"event_id":3667,"event_guid":"6347d122-daf0-4b30-851c-32cac06bf6bd","weight":24},{"event_id":3668,"event_guid":"4745fbc3-87d4-41eb-8c82-2c1bb8a51beb","weight":28},{"event_id":3671,"event_guid":"4ef69e6a-026f-4b30-888d-af654b220a3d","weight":43},{"event_id":3673,"event_guid":"9e02145e-1d65-4398-b8e2-bd4c1faee0fa","weight":39},{"event_id":3676,"event_guid":"f6811c99-96af-44d5-b82d-5afe826b2caf","weight":64},{"event_id":3681,"event_guid":"149f13d4-cc8c-49a9-9e68-544754646022","weight":25},{"event_id":3689,"event_guid":"1f7eb981-2819-4824-8f40-4ddde0be7bf3","weight":64},{"event_id":3690,"event_guid":"8d0aed87-2484-4880-ae08-2dc3c7898959","weight":29},{"event_id":3695,"event_guid":"c300b194-2a85-4705-92aa-b4e789882303","weight":32},{"event_id":3734,"event_guid":"34ea8f1f-9fad-41aa-8424-e833f10e5e8b","weight":29},{"event_id":3762,"event_guid":"25e2df7d-5740-4c2f-bc34-986326d606fe","weight":27}],"recordings":[{"size":null,"length":null,"mime_type":"application/x-subrip","language":"eng","filename":"DRAFT_33c3-7827-eng-deu-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web.en_DRAFT.srt","state":"draft","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2023-09-03T18:39:02.724+02:00","recording_url":"https://cdn.media.ccc.de/congress/2016/DRAFT_33c3-7827-eng-deu-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web.en_DRAFT.srt","url":"https://api.media.ccc.de/public/recordings/50337","event_url":"https://api.media.ccc.de/public/events/7ef9172a-e2c7-4e78-9316-08449bd582c6","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":387,"length":3844,"mime_type":"video/mp4","language":"eng","filename":"33c3-7827-eng-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2016-12-28T21:02:34.413+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/h264-hd/33c3-7827-eng-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web.mp4","url":"https://api.media.ccc.de/public/recordings/14017","event_url":"https://api.media.ccc.de/public/events/7ef9172a-e2c7-4e78-9316-08449bd582c6","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":431,"length":3844,"mime_type":"video/mp4","language":"deu","filename":"33c3-7827-deu-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2016-12-28T21:02:55.091+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/h264-hd/33c3-7827-deu-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web.mp4","url":"https://api.media.ccc.de/public/recordings/14018","event_url":"https://api.media.ccc.de/public/events/7ef9172a-e2c7-4e78-9316-08449bd582c6","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":520,"length":3844,"mime_type":"video/mp4","language":"eng-deu","filename":"33c3-7827-eng-deu-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2016-12-28T21:03:16.133+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/h264-hd/33c3-7827-eng-deu-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web_hd.mp4","url":"https://api.media.ccc.de/public/recordings/14019","event_url":"https://api.media.ccc.de/public/events/7ef9172a-e2c7-4e78-9316-08449bd582c6","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":58,"length":3831,"mime_type":"audio/mpeg","language":"eng","filename":"33c3-7827-eng-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2016-12-28T21:20:19.154+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/mp3/33c3-7827-eng-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web.mp3","url":"https://api.media.ccc.de/public/recordings/14034","event_url":"https://api.media.ccc.de/public/events/7ef9172a-e2c7-4e78-9316-08449bd582c6","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":48,"length":3831,"mime_type":"audio/opus","language":"eng","filename":"33c3-7827-eng-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2016-12-28T21:21:56.873+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/opus/33c3-7827-eng-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web.opus","url":"https://api.media.ccc.de/public/recordings/14038","event_url":"https://api.media.ccc.de/public/events/7ef9172a-e2c7-4e78-9316-08449bd582c6","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":176,"length":3844,"mime_type":"video/mp4","language":"eng-deu","filename":"33c3-7827-eng-deu-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2016-12-28T22:19:05.819+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/h264-sd/33c3-7827-eng-deu-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web_sd.mp4","url":"https://api.media.ccc.de/public/recordings/14065","event_url":"https://api.media.ccc.de/public/events/7ef9172a-e2c7-4e78-9316-08449bd582c6","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":177,"length":3844,"mime_type":"video/webm","language":"eng-deu","filename":"33c3-7827-eng-deu-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2016-12-28T22:23:58.586+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/webm-sd/33c3-7827-eng-deu-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/14074","event_url":"https://api.media.ccc.de/public/events/7ef9172a-e2c7-4e78-9316-08449bd582c6","conference_url":"https://api.media.ccc.de/public/conferences/33c3"},{"size":445,"length":3844,"mime_type":"video/webm","language":"eng-deu","filename":"33c3-7827-eng-deu-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2016-12-29T11:48:46.921+01:00","recording_url":"https://cdn.media.ccc.de/congress/2016/webm-hd/33c3-7827-eng-deu-On_the_Security_and_Privacy_of_Modern_Single_Sign-On_in_the_Web_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/14203","event_url":"https://api.media.ccc.de/public/events/7ef9172a-e2c7-4e78-9316-08449bd582c6","conference_url":"https://api.media.ccc.de/public/conferences/33c3"}]}