(github.blog)

312 points campuscodi | 1 comments | 15 Mar 25 19:06 UTC | HN request time: 0.251s | source

Show context

tptacek ◴[15 Mar 25 21:11 UTC] No.43375191[source]▶

SAML (more broadly XML-DSIG) is literally the worst security protocol in common use. I think you should generally be taking whatever hits you need to take to transition from it to OAuth. Certainly, I would refuse to bring a new product to market that relied on it. It's incredibly dangerous. Unless there's some breakthrough in practical formal verification, I can't imagine that this will be the last or the worst DSIG vulnerability.

replies(4): >>43375239 #>>43375862 #>>43376397 #>>43376552 #

nimish ◴[15 Mar 25 23:30 UTC] No.43375862[source]▶

>>43375191 #

One day I will write an essay on all of the incredibly stupid things XML DSig does, and that's not even touching the cryptography. It's peak enterprise software brain.

Someone should go deep on the mailing list and standards body horrors of WS-* and OASIS/XACML and all that crap

replies(1): >>43380286 #

1. pushkar2911 ◴[16 Mar 25 16:38 UTC] No.43380286[source]▶

>>43375862 #

Please write about this. I would love to read it.

↑

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials