The number of login options on websites has increased since the introduction of web single sign-on (SSO) protocols. SSO services allow users to grant websites or relying parties (RPs) access to their personal profile information from identity provider (IdP) accounts. When prompting users to select an SSO login option, many websites do not provide any privacy information that could help users make informed choices. Moreover, privacy differences in permission requests across available login options are largely hidden from users and are time consuming to manually extract and compare. In this paper, we present an empirical study of popular RP implementations supporting three major IdP login options (Facebook, Google, and Apple) and categorize RPs in the top 300 sites into four client-side code patterns. Our findings suggest a relatively uniform distribution in three code patterns. We select RPs in one of these patterns as target sites for the design and implementation of SSOPrivateEye (SPEye), a browser extension prototype that extracts comparative data on SSO login options in RPs covering the three IdPs. Our evaluation of SPEye demonstrates the viability of extracting privacy information that can inform SSO login choices in the majority of our target sites.
翻译:自采用网上单一签名协议以来,网站登录选项的数量有所增加。SSO服务允许用户允许网站或依赖方从身份提供者账户中访问个人概况信息。当促使用户选择 SSO 登录选项时,许多网站不提供任何有助于用户作出知情选择的隐私信息。此外,现有登录选项之间在许可请求方面的隐私差异大多隐藏在用户手中,并耗费时间手工提取和比较。在本文中,我们介绍了一项经验性研究,对支持三项主要IDP登录选项(Facebook、Google和Apple)的流行性RP实施选项进行了经验性研究,并将前300个网站的RP分类为四种客户端代码模式。我们的调查结果显示,三种代码模式的分布相对一致。我们从其中一种模式中选择RPs作为设计和实施SSOPIEye(SPEye)的目标网站,一个浏览器扩展原型,在RPSO登录选项中提取涵盖三个IDP的比较数据。我们对SPEye的多数目标选择表明,SPEEO在三个目标网站中可以获取隐私选择的可行性。