Wanpeng Li scite author profile

Wanpeng Li

5Publications

72Citation Statements Received

212Citation Statements Given

How they've been cited

119

How they cite others

146

200

Affiliations

University of Aberdeen, Royal Holloway University of London, City, University of London

Publications

Order By: Most citations

Analysing the Security of Google’s Implementation of OpenID Connect

Mitchell

2016

View full text Add to dashboard Cite

Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for signin. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.

show abstract

Security Issues in OAuth 2.0 SSO Implementations

Mitchell

2014

View full text Add to dashboard Cite

Abstract. Many Chinese websites (relying parties) use OAuth 2.0 as the basis of a single sign-on service to ease password management for users. Many sites support five or more different OAuth 2.0 identity providers, giving users choice in their trust point. However, although OAuth 2.0 has been widely implemented (particularly in China), little attention has been paid to security in practice. In this paper we report on a detailed study of OAuth 2.0 implementation security for ten major identity providers and 60 relying parties, all based in China. This study reveals two critical vulnerabilities present in many implementations, both allowing an attacker to control a victim user's accounts at a relying party without knowing the user's account name or password. We provide simple, practical recommendations for identity providers and relying parties to enable them to mitigate these vulnerabilities. The vulnerabilities have been reported to the parties concerned.

show abstract

User Access Privacy in OAuth 2.0 and OpenID Connect

Mitchell

2020

View full text Add to dashboard Cite

Not All Browsers are Created Equal: Comparing Web Browser Fingerprintability

Al-Fannah

2017

View full text Add to dashboard Cite

Browsers and their users can be tracked even in the absence of a persistent IP address or cookie. Unique and hence identifying pieces of information, making up what is known as a fingerprint, can be collected from browsers by a visited website, e.g. using JavaScript. However, browsers vary in precisely what information they make available, and hence their fingerprintability may also vary. In this paper, we report on the results of experiments examining the fingerprintable attributes made available by a range of modern browsers. We tested the most widely used browsers for both desktop and mobile platforms. The results reveal significant differences between browsers in terms of their fingerprinting potential, meaning that the choice of browser has significant privacy implications.

show abstract

Industry herding in crypto assets

Zhao

Liu²,

Li³

2022

International Review of Financial Analysis

View full text Add to dashboard Cite

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Wanpeng Li

Analysing the Security of Google’s Implementation of OpenID Connect

Security Issues in OAuth 2.0 SSO Implementations

User Access Privacy in OAuth 2.0 and OpenID Connect

Not All Browsers are Created Equal: Comparing Web Browser Fingerprintability

Industry herding in crypto assets

Contact Info

Product

Resources

About