Skip to main content
SpringerLink
Log in

SudoWeb: Minimizing Information Disclosure to Third Parties in Single Sign-on Platforms

  • Conference paper
Information Security (ISC 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7001))

Included in the following conference series:

Abstract

Over the past few months we are seeing a large and ever increasing number of Web sites encouraging users to log in with their Facebook, Twitter, or Gmail identity, or personalize their browsing experience through a set of plug-ins that interact with the users’ social profile. Research results suggest that more than two million Web sites have already adopted Facebook’s social plug-ins, and the number is increasing sharply. Although one might theoretically refrain from such single sign-on platforms and cross-site interactions, usage statistics show that more than 250 million people might not fully realize the privacy implications of opting-in. To make matters worse, certain Web sites do not offer even the minimum of their functionality unless the users meet their demands for information and social interaction. At the same time, in a large number of cases, it is unclear why these sites require all that personal information for their purposes.

In this paper we mitigate this problem by designing and developing a framework for minimum information disclosure across third-party sites with single sign-on interactions. Our example case is Facebook, which combines a very popular single sign-on platform with information-rich social networking profiles. When a user wants to browse a Web site that requires authentication or social interaction with his Facebook identity, our system employs, by default, a Facebook session that reveals the minimum amount of information necessary. The user has the option to explicitly elevate that Facebook session in a manner that reveals more or all of the information tied to his social identity. This enables users to disclose the minimum possible amount of personal information during their browsing experience on third-party Web sites.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. BuiltWith - Facebook for Websites Usage Trends, http://trends.builtwith.com/javascript/Facebook-for-Websites

  2. Facebook for Websites, https://developers.facebook.com/docs/guides/web/

  3. Facebook Statistics, https://www.facebook.com/press/info.php?statistics

  4. OAuth, http://oauth.net/

  5. OpenID Foundation - OpenID Authentication 2.0 Specifications, http://openid.net/specs/openid-authentication-2_0.html

  6. Sign in with Twitter, http://dev.twitter.com/pages/sign_in_with_twitter

  7. Symantec Official Blog - Facebook Applications Accidentally Leaking Access to Third Parties, http://www.symantec.com/connect/blogs/facebook-applications-accidentally-leaking-access-third-parties

  8. The Chromium Projects - Multiple Profiles, http://www.chromium.org/user-experience/multi-profiles

  9. WebProNews - Million Sites Have Added Facebook’s Social Plugins Since f8, http://www.webpronews.com/2-million-sites-have-added-facebooks-social-plugins-since-f8-2010-09

  10. Ardagna, C.A., De Capitani di Vimercati, S., Foresti, S., Paraboschi, S., Samarati, P.: Supporting privacy preferences in credential-based interactions. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society (2010)

    Google Scholar 

  11. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (2008)

    Google Scholar 

  12. Dey, A., Weis, S.: PseudoID: Enhancing privacy in federated login. In: Hot Topics in Privacy Enhancing Technologies (2010)

    Google Scholar 

  13. Felt, A., Evans, D.: Privacy protection for social networking platforms. In: Proceedings of the Workshop on Web 2.0 Security and Privacy (2008)

    Google Scholar 

  14. Luo, W., Xie, Q., Hengartner, U.: Facecloak: An architecture for user privacy on social networking sites. In: Proceedings of the International Conference on Computational Science and Engineering (2009)

    Google Scholar 

  15. Meiss, M., Duncan, J., Gonçalves, B., Ramasco, J.J., Menczer, F.: What’s in a session: tracking individual behavior on the web. In: Proceedings of the 20th ACM Conference on Hypertext and Hypermedia (2009)

    Google Scholar 

  16. Singh, K., Bhola, S., Lee, W.: xbook: redesigning privacy control in social networking platforms. In: Proceedings of the 18th Conference on USENIX Security Symposium (2009)

    Google Scholar 

  17. Stone, B.: Facebook aims to extend its reach across the web. New York Times (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Columbia University, USA

    Georgios Kontaxis & Michalis Polychronakis

  2. Institute of Computer Science, Foundation for Research and Technology, Hellas, Greece

    Evangelos P. Markatos

Authors
  1. Georgios Kontaxis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michalis Polychronakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Evangelos P. Markatos
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Shanghai Jiao Tong University, 800 Dongchuan Road, 200240, Min Hang Shanghai, China

    Xuejia Lai

  2. Cryptography and Security Department, Institute for Infocomm Research, Singapore

    Jianying Zhou

  3. Key Laboratory of Computer Networks and Information, Security Xidian University, 2 South Taibai Road, Xi’an, 710071, Shaanxi, China

    Hui Li

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kontaxis, G., Polychronakis, M., Markatos, E.P. (2011). SudoWeb: Minimizing Information Disclosure to Third Parties in Single Sign-on Platforms. In: Lai, X., Zhou, J., Li, H. (eds) Information Security. ISC 2011. Lecture Notes in Computer Science, vol 7001. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24861-0_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-24861-0_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-24860-3

  • Online ISBN: 978-3-642-24861-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation