Analysing the Security of Google's implementation of OpenID Connect

Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems

Protecting Fundamental Labor Rights: Lessons from Canada for the United States

This paper examines the decline in unionization in the United States that began to occur in about 1960. While various explanations have been put forward to explain this -- with many focusing on some form of structural changes to the economy or to the workforce, usually related to globalization or technological progress -- this paper focuses on the role that employer opposition to unions has played, together with relatively weak labor law. In order to fully flesh out the experience of the United States, it looks to the experience of Canada as the country most similar to it

FY2018 National Defense Authorization Act: Selected Military Personnel Issues

[Excerpt] Military personnel issues typically generate significant interest from many Members of Congress and their staffs. This report provides a brief synopsis of selected sections in the National Defense Authorization Act for FY2018 (H.R. 2810), as passed by the House on July 14, 2017, and the Senate on September 18, 2017. The FY2018 NDAA conference report was passed by the House on November 14, 2017, and the Senate on November 16, 2017. On December 12, President Donald J. Trump signed the bill into law (P.L. 115-91). Issues include military end-strengths, pay and benefits, and other personnel policy issues. This report focuses exclusively on the NDAA legislative process. It does not include language concerning appropriations, or tax implications of policy choices, topics that are addressed in other CRS products. Issues that have been discussed in the previous year’s defense personnel reports are designated with an asterisk in the relevant section titles of this report

The President and Nuclear Weapons: Authorities, Limits, and Process

There is no more consequential decision for a president than ordering a nuclear strike. In the Cold War, the threat of sudden nuclear annihilation necessitated procedures emphasizing speed and efficiency and placing sole decision-making authority in the president’s hands. In today’s changed threat environment, the legal authorities and process a U.S. president would confront when making this grave decision merit reexamination. This paper serves as a resource in the national discussion about a president’s legal authority and the procedures for ordering a nuclear strike, and whether to update them