A Brief Introduction to Liberty   This document provides an overview of the Liberty Version 1 specifications. It briefly discusses some of the underlying technologies, including HTTP, the establishment of web connections, and SSL. Liberty version 1 technologies are presented in overview, along with a brief discussion of Liberty security characteristics, including a review of the risks in single sign-on systems.

Risks Presented by Single Sign-On Architectures  This document gives a simple and brief treatment of the risks presented by single sign-on architectures.

Security and Privacy Concerns of Internet Single Sign-On  The intent of Liberty version 1 specifications is to make single sign-on to multiple sites substantially as secure as giving a name and password at each site. Although we believe that the Liberty Alliance has achieved this goal, because the version 1 specifications are built on top of present-day Internet technology, numerous security and privacy issues remain. This report details these issues.

First, general classes of Internet security vulnerabilities and risks are enumerated. Then these specific types vulnerabilities and risks are discussed: single sign-on, social, those manifested in Internet protocols and common browsers, and potential ones in Liberty implementations. Our purpose in presenting these potential routes of attack is to explain the security vulnerabilities that exist --- largely because of the underlying infrastructure --- so that Liberty implementors (and to a lessor extent, users) are aware of the various risks and threats.