[cas-dev] Cas success XML snippet security
Patrick Berry
pberry at gmail.com
Thu Mar 27 10:28:12 EDT 2008
In much the same way that a user needs to "know" when they are putting
credentials into your CAS instance or a phishing site. The user trusts the
hostname and the SSL certificate.
Is the chief trying to think of a situation where the user is going to CAS
but somehow the application is tricked into sending the ticket to another
server for validation? I'm not saying it's impossible, but I would put it
up there in the highly unlikely category. The ticket validation is over
SSL, and at that point your application/client library is checking the
certificate of what it thinks is the CAS server. If the cert is
self-signed, the library could decide to not go through with the ticket
validation.
I'm not sure what the default is in most libraries.
Pat
On Thu, Mar 27, 2008 at 4:49 AM, David Whitehurst <dlwhitehurst at gmail.com>
wrote:
> This may be overkill, but how does CAS "know" that the XML success message
> coming from the CAS server is truly the CAS server and not a box
> masquerading that just sends a success message and a user in the CAS dtd
> format?
>
> I understand that this transmission is between servers using HTTPS (SSL)
> and they have accepted each other and have begun communications. This is a
> question from a Security Chief that I cannot answer.
>
>
> Thanks,
>
> David
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080327/3effb211/attachment-0001.html
More information about the cas-dev
mailing list