DOCSLIB.ORG

Improving Security and Privacy of Integrated Web Applications

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Improving Security and Privacy of Integrated Web Applications A Dissertation Presented to the Faculty of the School of Engineering and Applied Science University of Virginia In Partial Fulfillment of the requirements for the Degree Doctor of Philosophy (Computer Engineering) by Yuchen Zhou May 2015 c 2015 Yuchen Zhou Abstract Modern applications integrate third-party services for easier development, additional functionality (e.g., connecting with social network identities), and extra revenue (e.g., advertising networks). This integra- tion, however, presents risks to application integrity and user privacy. This research addresses integrated applications that incorporate two types of third-party services: (1) services from trusted providers that provide security-critical functionalities to an application such as Single Sign-On (SSO), and (2) services from untrusted providers that incorporate other services such as analytics and advertisements. Unlike traditional library inclusions, integrated applications present new challenges due to the opaqueness of third-party back end services and platform runtimes. For the first type of integration, we assume a benign service provider and our goal is to eliminate misunderstandings between the service provider and the application developer that may lead to security vulnerabilities in the implementation. We advocate for a systematic approach to discover implicit assumptions that uses an iterative process to refine system models and uncover needed assumptions. To better understand the prevalence of discovered vulnerabilities at large scale, we developed an automated vulnerability scanner, SSOScan, that can be deployed in an application marketplace or as a stand-alone service. This testing framework can drive the application automatically and check if a given application is vulnerable by carrying out simulated attacks and monitoring application traffic and behavior, and we have used it to automatically find serious vulnerabilities in hundreds of websites. For the second type of integration, the embedding application does not rely on a third-party service for security-critical functionality, but wants to prevent harm to the application and its users from embedded services that may be malicious. Integrated services often execute as the same principal as the host application code, with full access to application and user data. To mitigate the potential risks of integrating untrusted code, our approach aims to prevent third-party services from exfiltrating sensitive data or maliciously tampering i Abstract ii with the host content. To this end, we first developed a modified Chromium browser that supports fine-grained DOM access control, as well as JavaScript execution context isolation. We built an automatic policy generator that identifies private information by comparing duplicate requests. To reduce false positives and further improve site administrator’s understanding of third-party JavaScript behavior, we built ScriptInspector, a modification of Firefox that mediates, records, and visualizes critical resource accesses. ScriptInspector can be used to compare runtime accesses with existing policies and report violations to site administrators. To facilitate policy creation, the PolicyGenerator extension proposes permission candidates for site administrators to inspect, edit, and approve. The nature of modern web application development presents major challenges for security. Although developers are prone to make mistakes when integrating third-party components, the systematic analysis approach, automatic scanners, and developer tools we present can significantly increase a developer’s confidence in the security and privacy of integrated applications. APPROVAL SHEET The dissertation is submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy AUTHOR The dissertation has been read and approved by the examining committee: David Evans Advisor Shuo Chen Joanne Dugan Kevin Sullivan Westley Weimer Ronald Williams Accepted for the School of Engineering and Applied Science: Dean, School of Engineering and Applied Science May 2015 此博士论文 献给我敬爱的父母,感谢你们一直以来对我的信任与爱; 献给我已故的奶奶,感谢您对我十多年来无微不至的关怀与照料; 献给我的妻子,感谢你在攻读博士期间给我的理解与支持; This dissertation is also dedicated to my PhD advisor Dr. David Evans and internship mentor Dr. Shuo Chen, who offered their unwavering support and encouragement over the years. iv Acknowledgements Over the past six years of my PhD studies, I have received support from a great number of individuals, both emotionally and professionally. First and most importantly, I would like to express my sincere thanks to my PhD advisor Dr. David Evans. Dr. Evans has been a great mentor, colleague, and friend. His guidance has made this a thoughtful and rewarding journey, and his firm support for me to travel to numerous conferences and talk with various researchers gave me a vantage point for the entire research area. Second, I would like to thank Dr. Shuo Chen and Dr. Rui Wang specifically, my Microsoft Research mentors, who opened my eyes to a new different world; the work we did together eventually became a big part of this dissertation. Third, I want to thank the rest of my PhD committee members: Dr. Joanne Dugan, Dr. Kevin Sullivan, Dr. Westley Weimer, and Dr. Ronald Williams for their comments and suggestions to perfect this dissertation. I also had the great honor to work with an excellent group of fellow graduate and undergraduate students in the security research group here at the University of Virginia. I appreciate the inspiration from all of you — Jeffrey Shirley, Yan Huang, Yu Yao, Peter Chapman, Jonathan Burket, Tianhao Tong, Samee Zahur, Yikan Chen, Longze Chen, Ivan Alagenchev, Simon Sibomana, Weilin Xu, Haina Li, and Natnatee Dokmai. I also need to thank my fellow computer engineering PhD students Runjie Zhang, Michael Boyer, Jiawei Huang, and Shuai Che for their help and suggestions over the years. I would also like to thank my other colleagues at Microsoft Research, Shaz Qadeer and Yuri Gurevich, who provided us with support and help on model checking and theorem proving techniques. Finally, I would not be able to achieve all these without the generous funding support from the National Science Foundation, the Air Force Office of Scientific Research, and Google. I would like to thank them for their financial support throughout my PhD studies. v Contents Contents vi List of Tables............................................. ix List of Figures.............................................x 1 Introduction 1 1.1 Risks of Integrated Applications................................1 1.1.1 Integrating security services..............................2 1.1.2 Embedding untrusted services.............................3 1.2 Thesis..............................................4 1.3 Dissertation Contributions...................................4 2 Background 7 2.1 Privileges of Third-Party Scripts................................8 3 The Explication Process 10 3.1 Single Sign-On Service..................................... 11 3.1.1 Integration approach.................................. 12 3.1.2 The SSO protocols................................... 13 3.1.3 Facebook OAuth 2.0 workflow............................. 14 3.1.4 Facebook Connect credential types.......................... 14 3.2 Prior Work............................................ 15 3.2.1 API and SDK Misuses................................. 16 3.2.2 Program and Interface Verification........................... 16 3.2.3 Protocol Analysis.................................... 17 3.3 An Illustrative Example..................................... 18 3.3.1 Intended Use...................................... 18 3.3.2 Unintended (Hazardous) Use.............................. 19 3.3.3 Resolution and Insights................................. 20 3.4 The Explication Process.................................... 21 3.4.1 Scenario......................................... 21 3.4.2 Threat Model...................................... 22 3.4.3 Security Properties................................... 23 3.4.4 The Iterative Explication Process........................... 23 3.5 Semantic Modeling....................................... 24 3.5.1 Modeling language................................... 24 3.5.2 Modeling Concrete Modules.............................. 25 3.5.3 Modeling Abstract Modules.............................. 29 vi Contents vii 3.5.4 Constructing Assertions................................ 30 3.6 Summary of explication discoveries.............................. 31 3.6.1 Assumptions Uncovered................................ 31 3.7 Exploit opportunities...................................... 33 3.7.1 Facebook SDK..................................... 33 3.7.2 Microsoft Live Connect................................ 37 3.7.3 Windows 8 Modern app SDK............................. 37 3.7.4 Testing Real-world Applications............................ 38 4 SSOScan: Automatic Vulnerability Scanner 41 4.1 A Manual Scanning Example.................................. 42 4.2 Related Work.......................................... 45 4.3 Targeted Vulnerabilities..................................... 47 4.4 Design and Implementation................................... 48 4.4.1 SSO Button Finder................................... 49 4.4.2 Completing Registration................................ 50 4.4.3 Oracle.......................................... 50 4.4.4 Vulnerability Tester................................... 51 4.5 Large-scale Study.......................................
Recommended publications
  • Comparative Analysis and Framework Evaluating Web Single Sign-On Systems

    Comparative Analysis and Framework Evaluating Web Single Sign-On Systems

    Comparative Analysis and Framework Evaluating Web Single Sign-On Systems FURKAN ALACA, School of Computing, Queen’s University, [email protected] PAUL C. VAN OORSCHOT, School of Computer Science, Carleton University, [email protected] We perform a comprehensive analysis and comparison of 14 web single sign-on (SSO) systems proposed and/or deployed over the last decade, including federated identity and credential/password management schemes. We identify common design properties and use them to develop a taxonomy for SSO schemes, highlighting the associated trade-offs in benefits (positive attributes) offered. We develop a framework to evaluate the schemes, in which weidentify14 security, usability, deployability, and privacy benefits. We also discuss how differences in priorities between users, service providers (SPs), and identity providers (IdPs) impact the design and deployment of SSO schemes. 1 INTRODUCTION Password-based authentication has numerous documented drawbacks. Despite the many password alternatives, no scheme has thus far offered improved security without trading off deployability or usability [8]. Single Sign-On (SSO) systems have the potential to strengthen web authentication while largely retaining the benefits of conventional password-based authentication. We analyze in depth the state-of-the art ofwebSSO through the lens of usability, deployability, security, and privacy, to construct a taxonomy and evaluation framework based on different SSO architecture design properties and their associated benefits and drawbacks. SSO is an umbrella term for schemes that allow users to rely on a single master credential to access a multitude of online accounts. We categorize SSO schemes across two broad categories: federated identity systems (FIS) and credential managers (CM).
  • Elastic Load Balancing Application Load Balancers Elastic Load Balancing Application Load Balancers

    Elastic Load Balancing Application Load Balancers Elastic Load Balancing Application Load Balancers

    Elastic Load Balancing Application Load Balancers Elastic Load Balancing Application Load Balancers Elastic Load Balancing: Application Load Balancers Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. Elastic Load Balancing Application Load Balancers Table of Contents What is an Application Load Balancer? .................................................................................................. 1 Application Load Balancer components ......................................................................................... 1 Application Load Balancer overview ............................................................................................. 2 Benefits of migrating from a Classic Load Balancer ........................................................................ 2 Related services ......................................................................................................................... 3 Pricing ...................................................................................................................................... 3 Getting started .................................................................................................................................
  • Analisi Del Progetto Mozilla

    Analisi Del Progetto Mozilla

    Università degli studi di Padova Facoltà di Scienze Matematiche, Fisiche e Naturali Corso di Laurea in Informatica Relazione per il corso di Tecnologie Open Source Analisi del progetto Mozilla Autore: Marco Teoli A.A 2008/09 Consegnato: 30/06/2009 “ Open source does work, but it is most definitely not a panacea. If there's a cautionary tale here, it is that you can't take a dying project, sprinkle it with the magic pixie dust of "open source", and have everything magically work out. Software is hard. The issues aren't that simple. ” Jamie Zawinski Indice Introduzione................................................................................................................................3 Vision .........................................................................................................................................4 Mozilla Labs...........................................................................................................................5 Storia...........................................................................................................................................6 Mozilla Labs e i progetti di R&D...........................................................................................8 Mercato.......................................................................................................................................9 Tipologia di mercato e di utenti..............................................................................................9 Quote di mercato (Firefox).....................................................................................................9
  • Firefox OS Overview Ewa Janczukowicz

    Firefox OS Overview Ewa Janczukowicz

    Firefox OS Overview Ewa Janczukowicz To cite this version: Ewa Janczukowicz. Firefox OS Overview. [Research Report] Télécom Bretagne. 2013, pp.28. hal- 00961321 HAL Id: hal-00961321 https://hal.archives-ouvertes.fr/hal-00961321 Submitted on 24 Apr 2014 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Collection des rapports de recherche de Télécom Bretagne RR-2013-04-RSM Firefox OS Overview Ewa JANCZUKOWICZ (Télécom Bretagne) This work is part of the project " Étude des APIs Mozilla Firefox OS" supported by Orange Labs / TC PASS (CRE API MOZILLA FIREFOX OS - CTNG13025) ACKNOWLEGMENTS Above all, I would like to thank Ahmed Bouabdallah and Arnaud Braud for their assistance, support and guidance throughout the contract. I am very grateful to Gaël Fromentoux and Stéphane Tuffin for giving me the possibility of working on the Firefox OS project. I would like to show my gratitude to Jean-Marie Bonnin, to all members of Orange NCA/ARC team and RSM department for their help and guidance. RR-2013-04-RSM 1 RR-2013-04-RSM 2 SUMMARY Firefox OS is an operating system for mobile devices such as smartphones and tablets.
  • A Hybrid Approach to Detect Tabnabbing Attacks

    A Hybrid Approach to Detect Tabnabbing Attacks

    A Hybrid Approach to Detect Tabnabbing Attacks by Hana Sadat Fahim Hashemi A thesis submitted to the School of Computing in conformity with the requirements for the degree of Master of Science Queen's University Kingston, Ontario, Canada August 2014 Copyright c Hana Sadat Fahim Hashemi, 2014 Abstract Phishing is one of the most prevalent types of modern attacks, costing significant financial losses to enterprises and users each day. Despite the emergence of various anti-phishing tools and techniques, not only there has been a dramatic increase in the number of phishing attacks but also more sophisticated forms of these attacks have come into existence. One of the most complicated and deceptive forms of phishing attacks is the tabnabbing attack. This newly discovered threat takes advantage of the user's trust and inattention to the open tabs in the browser and changes the appearance of an already open malicious page to the appearance of a trusted website that demands confidential information from the user. As one might imagine, the tabnabbing attack mechanism makes it quite probable for even an attentive user to be lured into revealing his or her confidential information. Few tabnabbing detection and prevention techniques have been proposed thus far. The majority of these techniques block scripts that are susceptible to perform malicious actions or violate the browser security policy. However, most of these techniques cannot effectively prevent the other variant of the tabnabbing attack that is launched without the use of scripts. In this thesis, we propose a hybrid tabnabbing detection approach with the aim i of overcoming the shortcomings of the existing anti-tabnabbing approaches and tech- niques.
  • TR-069 CPE WAN Management Protocol V1.1

    TR-069 CPE WAN Management Protocol V1.1

    TECHNICAL REPORT TR-069 CPE WAN Management Protocol v1.1 Version: Issue 1 Amendment 2 Version Date: December 2007 © 2007 The Broadband Forum. All rights reserved. CPE WAN Management Protocol v1.1 TR-069 Issue 1 Amendment 2 Notice The Broadband Forum is a non-profit corporation organized to create guidelines for broadband network system development and deployment. This Technical Report has been approved by members of the Forum. This document is not binding on the Broadband Forum, any of its members, or any developer or service provider. This document is subject to change, but only with approval of members of the Forum. This document is provided "as is," with all faults. Any person holding a copyright in this document, or any portion thereof, disclaims to the fullest extent permitted by law any representation or warranty, express or implied, including, but not limited to, (a) any warranty of merchantability, fitness for a particular purpose, non-infringement, or title; (b) any warranty that the contents of the document are suitable for any purpose, even if that purpose is known to the copyright holder; (c) any warranty that the implementation of the contents of the documentation will not infringe any third party patents, copyrights, trademarks or other rights. This publication may incorporate intellectual property. The Broadband Forum encourages but does not require declaration of such intellectual property. For a list of declarations made by Broadband Forum member companies, please see www.broadband-forum.org. December 2007 © The Broadband
  • User Controlled Trust and Security Level of Web Real-Time Communications Kevin CORRE

    User Controlled Trust and Security Level of Web Real-Time Communications Kevin CORRE

    User Controlled Trust and Security Level of Web Real-Time Communications THESE DE DOCTORAT DE L’UNIVERSITE DE RENNES 1 COMUE UNIVERSITE BRETAGNE LOIRE Ecole Doctorale N° 601 Mathèmatique et Sciences et Technologies de l’Information et de la Communication Spécialité : Informatique Thèse présentée et soutenue à RENNES, le 31 MAI 2018 par Kevin CORRE Unité de recherche : IRISA (UMR 6074) Institut de Recherche en Informatique et Systemes Aléatoires Thèse N° : Rapporteurs avant soutenance : Maryline LAURENT, Professeur, TELECOM SudParis Yvon KERMARREC, Professeur, IMT Atlantique Composition du jury : Présidente : Maryline LAURENT, Professeur, TELECOM SudParis Examinateurs : Yvon KERMARREC, Professeur, IMT Atlantique Walter RUDAMETKIN, Maître de Conférences, Université de Lille Dominique HAZAEL-MASSIEUX, Ingenieur de Recherche, W3C Vincent FREY, R&D Software Engineer, Orange Labs Dir. de thèse : Olivier BARAIS, Professeur, Université de Rennes 1 Co-dir. de thèse : Gerson SUNYÉ, Maître de Conférences, Université de Nantes “Fide, sed cui vide”. - Locution latine “Du père qui m’a donné la vie : la modestie et la virilité, du moins si je m’en rapporte à la réputation qu’il a laissée et au souvenir personnel qui m’en reste”. - Marcus Catilius Severus i Résumé en Français Contexte Communication, du latin communicatio [13], est défini par le dictionnaire Oxford comme étant “the imparting or exchanging of information” et “the means of sending or receiving information, such as telephone lines or computers” [14]. Face à une incertitude ou à un risque, un tel échange n’est possible que si une relation de confiance peut être établie entre l’émetteur et le récepteur. Cette relation de confiance doit aussi concerner les moyens utilisés pour communiquer.
  • Benítez Bravo, Rubén; Liu, Xiao; Martín Mor, Adrià, Dir

    Benítez Bravo, Rubén; Liu, Xiao; Martín Mor, Adrià, Dir

    This is the published version of the article: Benítez Bravo, Rubén; Liu, Xiao; Martín Mor, Adrià, dir. Proyecto de local- ización de Waterfox al catalán y al chino. 2019. 38 p. This version is available at https://ddd.uab.cat/record/203606 under the terms of the license Trabajo de TPD LOCALIZACIÓN DE WATERFOX EN>CA/ZH Ilustración 1. Logo de Waterfox Rubén Benítez Bravo y Xiao Liu 1332396 | 1532305 [email protected] [email protected] Màster de tradumàtica: Tecnologies de la traducció 2018-2019 Índice de contenidos 1. Introducción ........................................................................................ 4 2. Tabla resumen .................................................................................... 5 3. Descripción del proceso de localización ............................................. 6 3.1 ¿Qué es Waterfox? ........................................................................ 6 3.2 ¿Qué uso tiene?............................................................................. 6 3.3 Preparando la traducción ............................................................... 7 4. Análisis de la traducción ................................................................... 11 5. Análisis técnico ................................................................................. 21 6. Fase de testing ................................................................................. 29 7. Conclusiones .................................................................................... 35 8. Bibliografía
  • Alibaba Cloud

    Alibaba Cloud

    AAlliibbaabbaa CClloouudd Alibaba Cloud SSerrvveer rL oLaoda Bda laBnaclearncer ListLeinsetresners Document Version: 20210922 Document Version: 20210922 Server Load Balancer List eners·Legal disclaimer Legal disclaimer Alibaba Cloud reminds you t o carefully read and fully underst and t he t erms and condit ions of t his legal disclaimer before you read or use t his document . If you have read or used t his document , it shall be deemed as your t ot al accept ance of t his legal disclaimer. 1. You shall download and obt ain t his document from t he Alibaba Cloud websit e or ot her Alibaba Cloud- aut horized channels, and use t his document for your own legal business act ivit ies only. The cont ent of t his document is considered confident ial informat ion of Alibaba Cloud. You shall st rict ly abide by t he confident ialit y obligat ions. No part of t his document shall be disclosed or provided t o any t hird part y for use wit hout t he prior writ t en consent of Alibaba Cloud. 2. No part of t his document shall be excerpt ed, t ranslat ed, reproduced, t ransmit t ed, or disseminat ed by any organizat ion, company or individual in any form or by any means wit hout t he prior writ t en consent of Alibaba Cloud. 3. The cont ent of t his document may be changed because of product version upgrade, adjust ment , or ot her reasons. Alibaba Cloud reserves t he right t o modify t he cont ent of t his document wit hout not ice and an updat ed version of t his document will be released t hrough Alibaba Cloud-aut horized channels from t ime t o t ime.
  • Memento: Time Travel for the Web

    Memento: Time Travel for the Web

    Memento: Time Travel for the Web Herbert Van de Sompel Michael L. Nelson Robert Sanderson Los Alamos National Old Dominion University, Los Alamos National Laboratory, NM, USA Norfolk, VA, USA Laboratory, NM, USA [email protected] [email protected] [email protected] Lyudmila L. Balakireva Scott Ainsworth Harihar Shankar Los Alamos National Old Dominion University, Los Alamos National Laboratory, NM, USA Norfolk, VA, USA Laboratory, NM, USA [email protected] [email protected] [email protected] ABSTRACT 1. INTRODUCTION The Web is ephemeral. Many resources have representa- \The web does not work," my eleven year old son com- tions that change over time, and many of those represen- plained. After checking power and network connection, I tations are lost forever. A lucky few manage to reappear realized he meant something rather more subtle. The URI as archived resources that carry their own URIs. For ex- (http://stupidfunhouse.com) he had bookmarked the year ample, some content management systems maintain version before returned a page that didn't look like the original at pages that reflect a frozen prior state of their changing re- all, and definitely was not fun. He had just discovered that sources. Archives recurrently crawl the web to obtain the the web has a terrible memory. actual representation of resources, and subsequently make Let us restate the obvious: the Web is the most pervasive those available via special-purpose archived resources. In information environment in the history of humanity; hun- both cases, the archival copies have URIs that are protocol- dreds of millions of people1 access billions of resources2 using wise disconnected from the URI of the resource of which a variety of wired or wireless devices.
  • TR-069: CPE WAN Management Protocol

    TR-069: CPE WAN Management Protocol

    TECHNICAL REPORT TR-069 CPE WAN Management Protocol Issue: Amendment 6 Corrigendum 1 Issue Date: June 2020 CWMP Version: 1.4 © Broadband Forum. All rights reserved. CPE WAN Management Protocol TR-069 Issue Amendment 6 Corrigendum 1 Notice The Broadband Forum is a non-profit corporation organized to create guidelines for broadband network system development and deployment. This Technical Report has been approved by members of the Forum. This Technical Report is subject to change. This Technical Report is owned and copyrighted by the Broadband Forum, and all rights are reserved. Portions of this Technical Report may be owned and/or copyrighted by Broadband Forum members. Intellectual Property Recipients of this Technical Report are requested to submit, with their comments, notification of any relevant patent claims or other intellectual property rights of which they may be aware that might be infringed by any implementation of this Technical Report, or use of any software code normatively referenced in this Technical Report, and to provide supporting documentation. Terms of Use 1. License Broadband Forum hereby grants you the right, without charge, on a perpetual, non- exclusive and worldwide basis, to utilize the Technical Report for the purpose of developing, making, having made, using, marketing, importing, offering to sell or license, and selling or licensing, and to otherwise distribute, products complying with the Technical Report, in all cases subject to the conditions set forth in this notice and any relevant patent and other intellectual property rights of third parties (which may include members of Broadband Forum). This license grant does not include the right to sublicense, modify or create derivative works based upon the Technical Report except to the extent this Technical Report includes text implementable in computer code, in which case your right under this License to create and modify derivative works is limited to modifying and creating derivative works of such code.
  • An Expressive Model for the Web Infrastructure: Definition and Application to the Browserid SSO System

    An Expressive Model for the Web Infrastructure: Definition and Application to the Browserid SSO System

    An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System∗ Daniel Fett, Ralf Küsters, Guido Schmitz University of Trier, Germany {fett,kuesters,schmitzg}@uni-trier.de Abstract The web constitutes a complex infrastructure and as demonstrated by numerous attacks, rigorous analysis of standards and web applications is indispensable. Inspired by successful prior work, in particular the work by Akhawe et al. as well as Bansal et al., in this work we propose a formal model for the web infrastructure. While unlike prior works, which aim at automatic analysis, our model so far is not directly amenable to automation, it is much more comprehensive and accurate with respect to the standards and specifications. As such, it can serve as a solid basis for the analysis of a broad range of standards and applications. As a case study and another important contribution of our work, we use our model to carry out the first rigorous analysis of the BrowserID system (a.k.a. Mozilla Persona), a recently developed complex real-world single sign-on system that employs technologies such as AJAX, cross-document messaging, and HTML5 web storage. Our analysis revealed a number of very critical flaws that could not have been captured in prior models. We propose fixes for the flaws, formally state relevant security properties, and prove that the fixed system in a setting with a so-called secondary identity provider satisfies these security properties in our model. The fixes for the most critical flaws have already been adopted by Mozilla and our findings have been rewarded by the Mozilla Security Bug Bounty Program.