security of "shibuseheaders"

Eric Goodman Eric.Goodman at ucop.edu
Wed Nov 23 15:20:00 EST 2016


>In the almost ten or so years since the spoofing issues were identified and mitigated, I'm not aware of any successful attacks against it.

Just for clarity, is this properly parsed as the following?:

"In the almost ten or so years since the [Shib header] spoofing issues were identified and mitigated, I'm not aware of any successful attacks against it [where the Shib SP allowed a spoofed header to be passed to the resource it was directly protecting]."

Thanks!

--- Eric


More information about the users mailing list