当前位置: 首页 >> 学术报告 >> 正文


来源:明理楼B306     报告人:李万鹏    审核:杨兆中    编辑:刘书妍     发布日期:2024年05月14日    浏览量:[]


报 告 人:李万鹏助理教授、博士生导师

报告时间:5月14日 16:30-18:00



李万鹏,英国阿伯丁大学助理教授,博士生导师,计算机学院网络空间安全系主任。曾在英国曼城城市大学担任助理教授,并任网络空间安全与信息安全与电子取证系主任,同是也是在曼城地区Cyber Foundry项目的主要参与者。在伦敦大学皇家霍洛威学院获得博士学位,曾在英国城市大学计算机学院Toms Chen教授团队从事博士后研究工作。主要研究方向集中在身份管理系统,网站安全, 应用密码学和软件安全,在网络与信息安全领域发了多篇高水平国际学术论文,其中身份管理系统相关技术成果极大地提高了Google以及多家互联网厂商的 OpenID connect 的系统安全,被Google列入了安全中心名人堂。


Currently widely used federated login (single sign-on) systems, notably those based on OAuth 2.0, offer very little privacy for the user, and as a result the identity provider (e.g. Google or Facebook) can learn a great deal about user web behaviour, in particular which sites they access. This is clearly not desirable for privacy reasons, and in particular for privacy-conscious users who wish to minimise the information about web access behaviour that they reveal to third party organisations. In this paper we give a systematic analysis of the user access privacy properties of OAuth 2.0 and OpenID Connect systems, and in doing so describe how simple it is for an identity provider to track user accesses. We also propose possible ways in which these privacy issues could to some extent be mitigated, although we conclude that to make the protocols truly privacy-respecting requires significant changes to the way in which they operate. In particular, it seems impossible to develop simple browser-based mitigations without modifying the protocol behaviour. We also briefly examine parallel research by Hammann et al., who have proposed a means of improving the privacy properties of OpenID Connect.



