報告題目：關于Chrome可發(fā)現(xiàn)插件程序的研究

報 告 人：李萬鵬助理教授、博士生導師

報告時間：5月14日 16:30-18:00

報告地點：計算機與軟件學院明理樓B306

報告人簡介：

李萬鵬，英國阿伯丁大學助理教授，博士生導師，計算機學院網絡空間安全系主任。曾在英國曼城城市大學擔任助理教授，并任網絡空間安全與信息安全與電子取證系主任，同是也是在曼城地區(qū)Cyber Foundry項目的主要參與者。在倫敦大學皇家霍洛威學院獲得博士學位，曾在英國城市大學計算機學院Toms Chen教授團隊從事博士后研究工作。主要研究方向集中在身份管理系統(tǒng)，網站安全, 應用密碼學和軟件安全，在網絡與信息安全領域發(fā)了多篇高水平國際學術論文，其中身份管理系統(tǒng)相關技術成果極大地提高了Google以及多家互聯(lián)網廠商的 OpenID connect 的系統(tǒng)安全，被Google列入了安全中心名人堂。

報告內容摘要：

Currently widely used federated login (single sign-on) systems, notably those based on OAuth 2.0, offer very little privacy for the user, and as a result the identity provider (e.g. Google or Facebook) can learn a great deal about user web behaviour, in particular which sites they access. This is clearly not desirable for privacy reasons, and in particular for privacy-conscious users who wish to minimise the information about web access behaviour that they reveal to third party organisations. In this paper we give a systematic analysis of the user access privacy properties of OAuth 2.0 and OpenID Connect systems, and in doing so describe how simple it is for an identity provider to track user accesses. We also propose possible ways in which these privacy issues could to some extent be mitigated, although we conclude that to make the protocols truly privacy-respecting requires significant changes to the way in which they operate. In particular, it seems impossible to develop simple browser-based mitigations without modifying the protocol behaviour. We also briefly examine parallel research by Hammann et al., who have proposed a means of improving the privacy properties of OpenID Connect.

主辦單位：計算機與軟件學院

  科學技術發(fā)展研究院