(github.blog)

312 points campuscodi | 3 comments | 15 Mar 25 19:06 UTC | HN request time: 0.656s | source

Show context

tptacek ◴[15 Mar 25 21:11 UTC] No.43375191[source]▶

SAML (more broadly XML-DSIG) is literally the worst security protocol in common use. I think you should generally be taking whatever hits you need to take to transition from it to OAuth. Certainly, I would refuse to bring a new product to market that relied on it. It's incredibly dangerous. Unless there's some breakthrough in practical formal verification, I can't imagine that this will be the last or the worst DSIG vulnerability.

replies(4): >>43375239 #>>43375862 #>>43376397 #>>43376552 #

1. shellcromancer ◴[15 Mar 25 21:22 UTC] No.43375239[source]▶

>>43375191 #

Security Cryptography Whatever’s take on this week SAML non-sense will be fun.

replies(1): >>43375276 #

2. tptacek ◴[15 Mar 25 21:28 UTC] No.43375276[source]▶

>>43375239 (TP) #

Honestly, hadn't thought of it, but of course we should do that. Thanks!

replies(1): >>43376014 #

3. janderson215 ◴[16 Mar 25 00:01 UTC] No.43376014[source]▶

>>43375276 #

I’d sub to infosec rant podcasts. $5/mo Patreon sub for a non-vtuber version.

↑

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials