{% extends "base.html" %} {% block content %}

SSO-Monitor.me

The First Reproducible and Reliable SSO-Archive
for Single Sign-On Landscape and Security Measurements

Explore the SSO-Archive Analyze the Statistics Download the Tranco+SSO List Read the Paper

About the Paper

Single Sign-On (SSO) with OAuth 2.0 and OpenID Connect 1.0 is essential for user authentication and authorization on the Internet. Billions of users rely on SSO services provided by Google, Facebook, and Apple. For large-scale measurements on the security of SSO, researchers need to reliably detect SSO implementations in the wild.

In this paper, we survey the current state of 36 SSO measurement tools from prior work and discover gaps leading to blind spots in the SSO landscape that hinder the community from improving large-scale research. We observe unreliable measurements and a lack of reproducibility, making comparisons between studies difficult, if not impossible. We fill these gaps with SSO-Monitor, our open-source, modular, and highly extensible framework for large-scale SSO landscape and security measurements. SSO-Monitor achieves a high accuracy of 93% and, compared to previous tools, significantly improves the reliability of SSO measurements by 19%. It continuously takes snapshots of SSO implementations on the top 1M websites to compose an SSO-Archive that is reproducible by design. Therefore, it passively monitors the SSO flows and provides an extensive set of landscape and security insights on sso-monitor.me. Our SSO-Archive allows researchers to perform comprehensive measurements over time and even beyond the scope of SSO.

We use the data in our SSO-Archive to measure the security of 89k SSO authentication flows on the top 1M websites. Thereby, we discover 33k violations of OAuth Security Best Current Practices and 339 severe security vulnerabilities. They include 30 username and password leaks and 28 token leaks that allow full account takeovers.

About the Website

This website provides access to the SSO-Archive and the SSO-Monitor tool. The SSO-Archive is a central collection and long-term storage of Single Sign-On logins that we recorded on millions of websites. SSO-Monitor is the tool that generates the data that is fed into our SSO-Archive. You can think of our SSO-Archive as the Tranco Top Sites Ranking and the Internet Archive's Wayback Machine but applied to Single Sign-On.

SSO-Archive

It lists all archived SSO login recordings in a paginated table. You can filter and search the SSO-Archive, for example, to only select domains with SSO, domains of a specific scan, or all domains matching a custom database query for more advanced fine-grained filtering.

Go to the SSO-Archive
Statistics

It computes several statistics on our SSO-Archive. You can load the latest scan, a specific scan, or a ground truth to show aggregated statistics of the data, including the number of SSO buttons, login pages, and the position of SSO buttons on the browser canvas.

Go to the Statistics
Tranco+SSO List

It lets you download our SSO-Archive as JSON files. Since our API uses pagination and does not provide all data at once, we provide a large JSON file holding all SSO login recordings instead. The file allows you to apply own parsing and queries for individual filtering.

Go to the Tranco+SSO List

FAQs

Single Sign-On (or short: SSO) is a user authentication method that involves two parties — an Identity Provider (IdP) and a Service Provider (SP). IdPs, such as Google, Facebook, and Apple, manage and verify user identities. SPs are the applications or websites that require user authentication. With SSO, users can log in on multiple SPs by authenticating through a single IdP, streamlining the login process and reducing the need to remember multiple credentials. When a user attempts to log in on a website, the SP redirects the user to the chosen IdP. The IdP verifies the user's identity, and if successful, sends an authentication token back to the SP. The SP uses the authentication token to sign in the user. A simple example of SSO is the "Sign in with Facebook" feature on Pinterest. This feature allows users to log in to Pinterest with their Facebook accounts.

SSO-Monitor is an open-source tool that continuously iterates over millions of websites to monitor the SSO landscape across the web. Therefore, it regularly visits websites, determines their login pages, and checks whether they support SSO on their login pages. Currently, it can detect SSO logins with 10 of the most commonly used IdPs, such as Google, Facebook, Apple, Twitter, LinkedIn, and Github.

The SSO-Archive is our central collection and long-term storage of artifacts and data, including every component of this website that lets you explore or download our archived data. SSO-Monitor is the tool that generates the data that is fed into the SSO-Archive. You can think of our SSO-Archive as the Tranco Top Sites Ranking and the Internet Archive's Wayback Machine but for SSO research.

SSO-Monitor executes the following steps to determine login pages of websites:

  1. It navigates to the website and checks whether it is reachable.
  2. It scans the website for login pages using the following techniques:
    • it queries the free internet metasearch engine SearXNG that aggregates results from various search engines and databases
    • it crawls the website for links pointing the login page
    • it tests well-known paths like shop.com/login or subdomains like login.shop.com
    • it scans the website's sitemap
    • it scans the website's homepage

SSO-Monitor executes the following steps to detect SSO buttons on login pages:

  1. It navigates to the login page and checks whether it is reachable.
  2. It scans the login page for SSO buttons using the following techniques:
    • it searches for well-known keywords like Sign in with Google or more generic terms like google in the DOM and accessibility tree
    • it takes a screenshot of the login page and uses visual-based detection by running the OpenCV template matching algorithm on it to detect the logos of the IdPs
    • it captures all HTTP requests on the website and applies rules on them to detect popular login widgets
    • it hooks the navigator.credentials browser API to detect if a website requests a PasswordCredential for password authentication, FederatedCredential or IdentityCredential for SSO authentication, or PublicKeyCredential for WebAuthn or passkey authentication
  3. It triggers the SSO authentication flows and stores snapshots of them in our SSO-Archive, which includes the recognized IdPs, the login page URLs, the coordinates of the SSO buttons, screenshots, and the recorded traffic.

SSO-Monitor currently detects the following IdPs: Apple, Facebook, Google, Twitter, LinkedIn, Microsoft, Baidu, Github, QQ, Sina Weibo, and WeChat. Further IdPs can be easily integrated by extending the regular expressions detecting the login requests that are issued to the IdPs and the IdP logos.

Yes, we already detect username and password logins by integrating the LastPass password manager. Password managers already use sophisticated algorithms to find username and password fields. These algorithms go beyond checking the type attributes of <input> fields. Lastpass is the most downloaded password manager with over 10 million users in the Chrome web store and has been extensively studied in academic research. The extension injects a uniquely identifiable icon into all username and password fields, allowing us to identify all fields.

We have limited support for WebAuthn and passkey detection. It hooks the navigator.credentials browser API to detect if a website requests a PublicKeyCredential for WebAuthn or passkey authentication. Thereby, it can detect if a website starts the WebAuthn or passkey authentication. However, many websites commonly require some sort of user interaction before starting the WebAuthn or passkey authentication. For instance, websites require users to submit their usernames before the authentication process is started. Currently, we do not explicitly scan for WebAuthn or passkey authentication but we plan to extend full support for WebAuthn and passkey detection in the coming months.

We provide a wide range of data on this website. In fact, this website is build on our API, so everything you can see on this website is fetched from our API. We further provide a Tranco+SSO list in JSON format that you can download. In the following, you can see a commented overview of some of the data that we provide.

{% include "components/datacard.html" %}

A lot of web security research has focused on the unauthenticated web. Large-scale measurements on the authenticated web are hard as account logins and registrations have to be automated. Recent research has already started semi-automated studies of the authenticated web. We see our publicly available SSO-Archive and open-source tool SSO-Monitor as a baseline for future measurements on the authenticated web. In fact, we already provide the HTTP traffic of login processes. As a result, post-login security measurements such as security attributes of session cookies and secure storage of tokens in the browser can be already conducted on our data. We also pave the way for active measurements on the authenticated web with SSO-Monitor's extensible architecture and automatic SSO login support.

We create an individual task for each analysis of a domain. For instance, if we analyze the top 500k domains of the Tranco list, we create 500k tasks in total (one for each domain). Tasks are contained in a scan that defines the targeted domains that should be analyzed. For instance, we create a single scan for the Tranco top 500k domains that holds a total of 500k tasks. Scans can be further combined by tagging them. For instance, if we later decide to scan the lower 500k domains of the Tranco list in a new scan, we can add the same tag to both 500k scans. This allows us to gradually execute smaller scans and "combining" them at a later time.

Yes, we follow an API-centric approach and provide a publicly accessible API for all our data. In fact, everything you can see on this website is fetched from our API. We also provide an OpenAPI file and an API documentation to make working with the API more convenient.

Yes, SSO-Monitor is entirely open-source and we plan to actively maintain it for research purposes. Our SSO-Archive contains all data and is provided throughout this website in various formats, i.e., as downloadable JSON files or via APIs that can be filtered with queries. If you have troubles downloading our large dataset, please contact us.

Citation

If you use our data or tooling for your research, please cite our publication:

                            @inproceedings{
                                sso-monitor,
                                title={SoK: SSO-Monitor - The Current State and Future Research Directions in Single Sign-On Security Measurements},
                                author={Jannett, Louis and Westers, Maximilian and Wich, Tobias and Mainka, Christian and Mayer, Andreas and Mladenov, Vladislav},
                                booktitle={2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)},
                                year={2024},
                                volume={},
                                number={},
                                pages={},
                                keywords={Single Sign-On;Authentication;Authorization;OAuth;OpenID Connect;Web Archive;SSO Archive},
                                doi={TBD}
                            }
                        
                            L. Jannett, M. Westers, T. Wich, C. Mainka, A. Mayer and V. Mladenov, "SoK: SSO-Monitor - The Current State and Future Research Directions in Single Sign-On Security Measurements", 2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P), Vienna, Austria, 2024, pp. TBD-TBD, doi: TBD. keywords: {Single Sign-On;Authentication;Authorization;OAuth;OpenID Connect;Web Archive;SSO Archive}

Contact

Feel free to reach out to us regarding this research, the artifacts, or the tooling. If you have any trouble with the tool, please open an issue on Github.

The SSO-Monitor.me logo is based on the OAuth logo created by Chris Messina. The logo is released under the Creative Commons Attribution ShareAlike 3.0 license.

{% endblock %}