Skip navigation

STANFORD UNIVERSITY

INFORMATION TECHNOLOGY SERVICES

WebAuth 3.3.0 Announcement

The ITSS WebAuth team is pleased to announce Stanford WebAuth 3.3.0. This release removes support for S/Ident due to a security flaw in the protocol, adds another option for multi-value attribute handling in LDAP lookups, and improves the LDAP module documentation.

For documentation and downloads of WebAuth 3.3.0, see:

<http://webauth.stanford.edu/>

We have not yet updated the versions of the binary packages for Solaris, but will do so soon. There will be a separate announcement when that is done.

The user-visible changes in this release are:

  • All WebKDC support for S/Ident removed. The S/Ident protocol is inherently vulnerable to an active man-in-the-middle attack that is particularly severe for WebAuth, since S/Ident authentication is done by a single server and WebAuth users regularly visit that server. Exploiting this protocol flaw would allow an attacker to capture a single sign-on cookie and then impersonate the user to all WebAuth sites in that domain.

  • Added WebAuthLdapSeparator to specify the separator for multivalued attributes. When set in the server configuration, all values of a multivalued attribute are concatenated together, separated by that separator, and put into the base WEBAUTH_LDAP_* environment variable (rather than only the first one).

  • Cleaned up, expanded, and improved the module documentation for mod_webauthldap.

Last modified Friday, 12-Dec-2014 02:31:13 PM

Stanford University Home Page