Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Analysis of Passport Flaws

CmdrTaco posted about 13 years ago | from the something-to-think-about dept.

Microsoft 174

An anonymous reader sent us an excellent (and technical) paper describing problems with Passport its not lame anti ms rhetoric, its actually a well written technical assesment of security problems with the unified login that passport aims to achieve. This is a good read.

cancel ×


Sorry! There are no comments related to the filter you selected.

Watch the date (1)

zunix (117687) | about 13 years ago | (#2109921)

In the guy's CV page [] it says that this publication is from July, 2000. I don't know if it makes any difference, but it still seems like relevant info.

Yeah? Well you shut up!

Told you so! (1, Funny)

Anonymous Coward | about 13 years ago | (#2110419)

"... We believe that until fundamental changes are made to underlying protocols (through standards such as DNSSEC and IPSec), efforts such as Passport must be viewed with suspicion. "

See? You NEED TCP/MS. Why don't you guys ever trust me?

--- billg

Alternative to Passport (1)

sasha328 (203458) | about 13 years ago | (#2111861)

The sole reason that Passport is being pushed forward, is to minimise the number of logons and password that a user needs to remember; so we store them in one location!
Wouldn't be more secure to have multiple logons (for each service provider) that are exactly the same? Sure there would be a security problem if someone happens to know my logon and my password, but there is a lesser chance of them having access to all my details, because they have to logon for every single service individually.

I found the following from the paper to be very pertinent: "The centralized service model is antithetical to the distributed nature of the Internet that has made it so robust and so popular."

Re:Alternative to Passport (1)

2bStealthy (512402) | about 13 years ago | (#2126197)

sasha328 the P2P movement is certainly an alternative. Look at what AOL has done: 1) They own the portal as an ISP with millions of users; 2) They own the digital content (Warner Bros., Atlantic Records, etc.); 3) Now they've decided to control the delivery of that content before P2P does it for them. More at:

Missing the forest for the trees ... (2, Insightful)

nicodaemos (454358) | about 13 years ago | (#2112420)

The article does a good job of articulating specific issues with the Microsoft's Passport system. Other people have suggested that we should perhaps look to XNS [] or other open source single signon systems. However, I believe they are missing an important piece.

This is important because users tend to pick poor (guessable) user names and passwords ...

Yes, that's right. What good is a strong single signon system that auto authenticates distributed sites, when the single signon itself may be weak? How much will 3DES encryption protect you when your password is "Swordfish"? You may recall the slashdot article [] that discussed how the average person tends to do a poor job of picking a secure password.

Fundamentally, Microsoft's passport or any other single signon system is as weak as their weakest link. Which, in many, cases appears to be the original signon authentication. I don't see them really catching on until that problem is better addressed.

These systems will have a much better chance when biometric authenticators become ubiquitous. Then hackers will have a much harder time impersonating you at the single signon.

However, no single signon system is perfect and the world is going to get a whole lot nastier when biometrics arrives en masse. Someday, we'll wax nostalgic about happier times when hackers only attacked computers and didn't pull out your eyeball to break into your bank account. I just saw Demolition Man recently in which Wesley Snipes does a very nice job of faking out a retina scanner with this method - truly gruesome.

Bah, none of these single signon systems for me. I'll just stick with my secure method of appending the site url to "password". Even if someone compromises one password, they won't know the rest!

Interesting read, but it's the s.o.s. (1)

tre (172905) | about 13 years ago | (#2113107)


Once agian Ms boasts a new "protocol" or implementation of software that relies on one, and once agian it is proven insecure. I find it not surprising though. How can I or any of us for that matter, think that something aimed toward making authentication easier, coming from MS, would actually make things better? Oh surely mure, the atypical weblite user is going to find this a great and a wonderful "time saver", while the rest of us who give a sh*t about information security end up finding ways to publicize its' flawed security model, in desperate attempts to keep something that may end up forcing into its' use from monopolistic tactics upon us, from being so problematic. Thanks MS...

more MS insecurity (0, Flamebait)

DNS-and-BIND (461968) | about 13 years ago | (#2114033)

Passport's security model depends heavily on the Domain Name System

You know, this more than anything else in the article bothered me. I can see the next big wave of MS server vulnerabilities leading to the surreptitious replacement of HOSTS files on the target machine. For those not in the know, most computers are configured to consult a local database of hostname/IP pairs every time a domain name is resolved to a numeric IP address (this happens every time you need a name resolved, which happens very very frequently). This local file is always queried first; if the answer is not found (usually the case) a query is issued to the DNS server, which provides a response. However, adding extra entries to a Windows hosts file (redirecting, say,, or more insidiously, to a lookalike site run by the attacker) could be a serious vulnerability. In the case of, the attacker could gain personal information and credit card numbers, however if were to be redirected, an attacker could trick the user into downloading trojaned patches or other software.

The paper's authors list an email address as "{davek,rubin}". This address is invalid (501 Bad address syntax). Anyone know how to contact these people?

Re:more MS insecurity (1)

WWWWolf (2428) | about 13 years ago | (#2111738)

The paper's authors list an email address as "{davek,rubin}". This address is invalid (501 Bad address syntax). Anyone know how to contact these people?

They're using pseudo-smart, UNIX-shell-like way of telling their addresses... probably confusing to many people. Read the above as and

Re:more MS insecurity (1)

James Foster (226728) | about 13 years ago | (#2112203)

The paper's authors list an email address as "{davek,rubin}". This address is invalid (501 Bad address syntax). Anyone know how to contact these people?

Re:more MS insecurity (1)

cygnusx (193092) | about 13 years ago | (#2133470)

It's an usual academic convention to list authors with addresses at the server in that notation. Try davek@... and rubin@...

Re:more MS insecurity (1)

cygnusx (193092) | about 13 years ago | (#2114487)

Sorry, that should have read... authors with addresses at the same server using that notation.

Re:more MS insecurity (2)

Tackhead (54550) | about 13 years ago | (#2150497)

> > Passport's security model depends heavily on the Domain Name System
> You know, this more than anything else in the article bothered me. I can see the next big wave of MS server vulnerabilities leading to the surreptitious replacement of HOSTS files on the target machine.

I can see that, but I can also see a wave of cookie-harvesting attempts. If the expiry dates on the persistent cookies used as authentication tokens is long enough (as it presumably must be, or the user would have to log in again every day), a worm that .ZIPs up a user's cookies and "phones home" by emailing the cookies to a set of randomly-pregenerated Yahoo (or for irony's sake, Hotmail) accounts, by filling out a web form (as, for instance, an AC posting to /. in a user-created forum), maybe even to an abandoned newsgroup, with bonus points for doing the USENET post through an open SOCKS proxy.

Either option is possible - the HOSTS file approach would be readily-detectable, though, and easily fixed. Whoever set up the site to which the h4x0red HOSTS file pointed would also be the obvious target for investigation. The cookie-harvesting approach would offer similar ease-of-coding for the k1dd13z, but depending on the mechanism chosen for "phoning home" (and the options available to the attacker for retrieving the messages containing the cookies, including anonymizing proxies), near-total anonymity.

As currently implemented, Passport and .NET are disasters waiting to happen, and I will entrust no confidential data with them. If my bank or broker requires their use, I will take my business elsewhere, or regress to doing my business over the phone or in meatspace.

need to heard your daily dose of anti-ms? (0)

Anonymous Coward | about 13 years ago | (#2114295)

Well, at least slashdot can be counted on for your daily dose of anti-Microsoft. You open source people have stepped to a new low. Do you think that if you read an anti-Microsoft piece every day that you will somehow feel that your product is better? Is this the re-assurance you need. If so then you need to get a life.

This entire discussion violates the DMCA (5, Insightful)

crovira (10242) | about 13 years ago | (#2114622)

And that was the point.

Now you can't discuss the weaknesses you find in an open forum so they can be addressed. You can only discuss it illegally through encrypted e-mail with others who will exploit them.

The DMCA was NOT an improvement.

Re:This entire discussion violates the DMCA (2, Informative)

danheskett (178529) | about 13 years ago | (#2113023)


The article did not publish nor discuss a way to circumvent the system. It talked generally about various attacks.

I can say that: DVD appear to be vulernable to a key-decryption attack which would allow decoding and copying to my local hard drive.

I cannot say: DVD's can be decrypted using XYZ-XYZ key and decoded using this code (insert code).

But still, the point is moot. Any restriction of the kind is a violation of the 1st amendment.

You can tell... (2)

gowen (141411) | about 13 years ago | (#2114961)

its going to be an article aimed at technically au fait readers when the authors' emails are given as {davek,rubin} with no further comment on what this means...

kerberos authentication (1, Interesting)

CTho9305 (264265) | about 13 years ago | (#2114966)

I think it would work better... it solves ALL problems listed except for poor passwords. However, the "average" user will never remember a password that is any good - and will demand some "remember my login" feature. This combination ensures INsecurity. Until people are willing to remember a short (6+) character sequence, and are willing to type it in (and change it periodically, there can be no good security (using passwords). The main disadvantage to kerberos is that most browsers do not inherently support it - you need plugins and sometimes a completely separate application.

Hairy deal! (1)

Bender Unit 22 (216955) | about 13 years ago | (#2115577)

This is a very hairy deal, which proves that it was not written by some slick moneygrabbing M$ two piece suit with no concept of that quality software is! ;-)
(you need to read through the article to the bottom to understand that)

Hardware password device needed (1)

Thor Ablestar (321949) | about 13 years ago | (#2115578)

I am not a crypto wizard to understand all the article. But I believe the main purpose of Passport was the necessity either to keep a lot of different passwords or to have a center that authentifies a person using the single password.

I believe that it's possible to keep a lot of different random passwords in any hardware device attached to computer thus avoiding most problems. The device may be the special keyboard (for instance, with magnetic, chip or proximity card reader), the standalone card reader or, preferably, USB key attached to the USB port that is present everywhere now (For USB challenged people there is a FDD). Of course, the device should be supported with some device-independent open-source protocol (Or we shall not trust it).

But I believe that Microsoft needs Passport NOT for our benefits, but for benefits of Billy's pockets and so Password will be pushed into our throats leaving all non-M$ aside.

Its a shame there are so many problems (1)

John_Steed (127860) | about 13 years ago | (#2116336)

Well, I agree with the artical that there are an abundance of problems with passport, its truly unfortunate that it could not be done better/independently. The idea of Passport seems like a great one that could indeed help users, and make them more secure. As the artical states most users use bad, and repeating passwords. Something like this would probably make those people more secure in the the long run. as the acutal vendor would not have access to the persons password. Unfortunatly it is deeply flawed. Oh well maby some "open" project will emerge, and provide a better verson of passport.

We need an alternative (5, Insightful)

infiniti99 (219973) | about 13 years ago | (#2116337)

There's nothing particularly wrong with single-signon, just so as long it is done securely and the data of everyone on the planet isn't stored in one bank. Users are going to like the convience that Passport provides. Thus, we need a good alternative.

I found this [] , which discusses a way of doing a Passport-like identification over Jabber, dubbed "Jident". Maybe this, or something like it, could be implemented as a proper open-source/distributed counter to Passport.

Jabber is definitely what the world should be using instead of this new "Windows Messenger". Perhaps an alternative to Passport could be added/layered to it as well? Definitely check out that Jident page, especially the bottom where it lays out the pros and cons (and a neat scenario).

Maybe something like this will be discussed at JabberCon [] .


Re:We need an alternative (1)

sporty (27564) | about 13 years ago | (#2118943)

We need something just like passport which acts a more like kerberos. Where the server gives authentication tickets that expire, like cookies but it is not done via a redirect. If say, te third party client could do the request on their behalf, it wouldn' tbe as bad.

Another option would be different passwords for different uses. Of course my email password might be a little easier than say, the password for stuff i use my credit card number. Better yet, I might actually want to use a different password for everything. An option similar to RSA/DSA keys used with SSH. You don't need to use the key pasword you set on the server, but can use the password you used to create a particular keypair.

Arrested? (1)

Midnight Thunder (17205) | about 13 years ago | (#2116695)

Now how long will it be before this guy gets arrested? Stupid Laws!

Well-written? (1)

Old Wolf (56093) | about 13 years ago | (#2118701)

I [sic] hope it's [sic] better-written [sic] than Taco's assessment [sic] would indicate.

Security Flaws (2, Interesting)

lavaforge (245529) | about 13 years ago | (#2120154)

If found this following quote interesting: "Presumably, the Hotmail logout button is used to remove the Hotmail credentials, while the Passport signout button is used to remove the Passport credentials to all services. While this may be clear to computer security experts, it is unlikely that the average non-expert computer user will understand the distinction."

This is a bit unusual; most of Microsoft's various 'innovations' are renowned for their user interface, and here we have the interface acting as a potential security flaw.

Who wants to place bets on how long it will take before somebody starts harvesting ID's from the local libraries?

Re:Security Flaws (1)

CaptDeuce (84529) | about 13 years ago | (#2112829)

...most of Microsoft's various 'innovations' are renowned for their user interface, and here we have the interface acting as a potential security flaw.

"Renowned"? Don't you mean "notorious"?&nbsp

A quick grammar lesson for the stupid (3, Informative)

Anonymous Coward | about 13 years ago | (#2120989)

its = possesive (i.e., belong to it)

it's = contraction, for "it is".

So:'s not lame anti ms rhetoric, it's
actually a well written...

Geez. Hire a high school student to proofread or something.

Re:A quick grammar lesson for the stupid (0)

Anonymous Coward | about 13 years ago | (#2109922)

describing problems with Passport its not lame anti ms rhetoric

A run-on sentence, as well. You have to really try to construct a run-on sentence...they're not common like "alot" or "their". It's good to see slashdot really trying.

The Power of Passport... (5, Insightful)

Thomas M Hughes (463951) | about 13 years ago | (#2122724)

Well, my first question is really "Does anyone outside of Microsoft actually use passport for authentication?" Microsoft uses it a lot for MSN Messenger, Hotmail and all its other stuff, which isn't really bad (for Microsoft products that is). However, I have yet to see Passport used _outside_ of Microsoft.

Then, assuming that other companies do begin to use Passport at a significant level (despite no one using it after months of its deployment), there then becomes the question "What happens when Microsoft denies companies access to passport authentication?" For example, what happens if a Hotmail competitor wishes to use Passport authentication for its web mail login? Clearly, Microsoft would be helping their competitor if they allowed it, and acting monopolistically if they don't. That does provide a small problem for Microsoft.

Third is something that the article points out very early on about the very reason people need something like passport. To paraphrase, the article states that people dislike the idea of their online grocery store having access to their online stock trading when they use the same password. This problem doesn't go away with Passport, it is just enhanced. Now, instead of your grocery store having access to your stocks, Microsoft has access to both your grocery store and your stocks, without doing anything but being a middle man authenticator.

But what am I saying? Microsoft is the good guy, who would never abuse its power. That's why its okay for Microsoft to use its powers to "innovate," just like its okay for the US to develop defensive systems that give it the power to launch nuclear weapons without fear of retaliation.

Re:The Power of Passport... (2)

Cardinal Biggles (6685) | about 13 years ago | (#2114097)

To paraphrase, the article states that people dislike the idea of their online grocery store having access to their online stock trading when they use the same password. This problem doesn't go away with Passport, it is just enhanced.

I don't think that's true. There is a redirect through Passport for every site the user visits, and both the grocery store and the online stock broker has registered its own key with Passport.

You can only use a cookie set by Passport for one single site, and the grocery store can't use the authentication token you used to access its site to impersonate you at your online stock trader, because that token has to be encrypted in the stock trader's key (which the grocery store doesn't have).

That said, you make a valid point too: what you get in return for locking your grocer out of your stock account is the little fact that Microsoft is now able to access all your accounts. Because they have all the keys.

Re:The Power of Passport... (1)

MarkLR (236125) | about 13 years ago | (#2133873)

But if you use Passport on a public terminal that has a keystroke logger installed the person who put it there now has access to your Passport account and can do anything with it. If somebody captures my Slashdot password its a minor issue, e-mail - more important, password for my on-line banking - very important. Passport should allow your to have multiple levels of security.

Hailstorm. (3, Interesting)

slashkitty (21637) | about 13 years ago | (#2116696)

Yes, some sites use Passport now, but soon, many many sites may be using it in combination with Hailstorm. This posses more problems as well. More users will be using it. They will have to use it more often. More data will be stored accessible with a Passport login.

Many people agree that this is the start of Microsoft's goal of "collecting a toll on every transaction on the internet". As others have suggested, upcoming versions of MS server software will make it easier and easier to use Passport when building web services. At the same time, they will make it harder not to use it... Adding more hoops to go through to set up something else... Like how they are removing Java from XP: one more hoop to to through to run Java.

As you can see, any security flaws in Passport could become a huge problem. Couple this with things like Sircam and CodeRed worm, and you have something that could drain bank accounts and do stock trades for you.

Re:Hailstorm. (0)

philipm (106664) | about 13 years ago | (#2114486)

yeah, OK. Most people agree that it is a very good thing for everyone that you don't speak for most people. Have you ever heard of social security numbers? How about mother's maiden names? Do you understand that the only real security is to change your password?, and that having 100 different logins and passwords is stupid? Oh, and P.S., if microsoft graciously takes the risk of developing a technology that is used in every online transaction then why shouldn't they get a cut like visa or AOL?

Re:Hailstorm. (2, Informative)

Kierthos (225954) | about 13 years ago | (#2111895)

ObNote: Social Security Numbers were not originally intended to be used for identification purposes. If you find an old enough Social Security Card, it will even say that on it.

Now, personally, I don't want an 'internet' that makes me use Passport if I want to access certain sites. Sure, if I'm accessing various MS supported sites, I can understand it being there, but I still don't like it. What I can't stand is the MS attitude of making their products 'required' and shutting out everyone else. Sure, some people might just call it good business sense on the part of MS, but let's face it, with as much market share for OS's that they have, it's just another continuation of monopolistic practices.

"Where shall we let you go today?"


Convenience for law enforcement (0)

Anonymous Coward | about 13 years ago | (#2137214)

The law enforcement community will love passport. Instead of spending days depriving a suspect of sleep, water and food in an attempt to induce the disclosure of multiple passwords, they will be routinely downloaded from microsoft's passport database.

The gathering of non-suspects' passwords probably will be pseudo-justified by claiming that the accounts won't be accessed until a more specific search warrant is issued.

Resemblance with PayPal (1)

drnomad (99183) | about 13 years ago | (#2126170)

I didn't know all this about passport, but it has great resemblance with paypal. The bogus site exploit has been done there as well.

The difference between paypal and microsoft merely is the fact that passport is not intended for micropayments, as I believe that ms will mostly focus on the b2b market.

For micropayments, Paypal [] has low risk because they have taken a mix of all sorts of measures. An ex-FBI agent is in charge of two or three fraud detection teams, their "IGOR" system is an automated fraud detection system. Because the wallet contains such small amounts of money, the loss risk is therefore much smaller than if you'd use big amounts - necesary for b2b transactions.

I do notice the resemblance between PP and MS that they are dealing with the same security problems, perhaps this is why PP and MS are collaborating. When MS chooses not to work with micropayments, my guess is that they could get a lot of security problems, not only the ones written in the article, also the securite problems Paypal hasn't solved technically, but manually.

Not that I was ever going to use it anyway... (2, Interesting)

Godwin O'Hitler (205945) | about 13 years ago | (#2126179)

Passport can be as watertight as a duck's arse or as full of holes as a sieve for all I care. For me the only question is, why the hell would I choose Microsoft as my sole broker in the first place? - I haven't as far as I'm aware gone stark raving nuts yet!

It seems likely that some if not a lot of people are going to use the passport service outside of hotmail. It seems likely that some or a lot of them are going to regret it. While I don't wish those people any harm, they could be well the ones who bring this latest Microsoft ruse to a speedy end.

Juxtaposition with Code Red II (1, Flamebait)

astrashe (7452) | about 13 years ago | (#2126196)

The new variant of Code Red might turn out to be the most damaging worm yet launched. That's happening today, while I'm writing this. My DSL connection will be hit a couple of times, in all probability, as I type this up.

That has to be the context of any discussion of passport.

Even well designed security fails. For that reason, if single choke point that will plunge the world into chaos if security fails is a bad idea. Passport is a bad idea.

The most important flaw isn't in the protocol, or in the fact that it's built on insecure services. A well designed passport type system would still be flawed, because it would present a single point of failure.

The fact that they want to do this at all proves that they're not thinking about security first.

MS has a track record of doing dumb things security wise because their business models demand them. They wanted to tie word and visual basic together so they opened up the world to the threat of macro viruses. They wanted to tie email and office together, so they made email systems that would run programs embedded in documents automatically if someone sends it to a MS user via the email.

These are not obscure problems, and they're not difficult to predict. You don't need to be a security guru to realize that they're trouble. MS did it anyway, because it was in their interest to do it. It wasn't in their customer's interests.

Passport isn't in anyone's interest by MS's. It's a bad design because it's centralized, because all of the eggs are in one basket. Most people want privacy. Most people want their credit card information to be secure. Most people want to control the information they give to various sites -- they don't want it passed around in the background, in the name of convenience.

Apart from all of that, it has to be pointed out that the company that's building and marketing passport has the worst record in computer security on the planet. By that I mean that MS security holes have cost more money -- billions and billions of dollars -- than any other company's security problems. How long did it take them to close the outlook macrovirus hole? How long was it obvious to everyone that it was a bad idea, before they closed it? Years. Why? Because they put their business model above their customer's security interests. And they're doing the same thing here.

Passport is a horrible idea. And even if it was a good idea, these are the last guys who should be trusted to build it.

Spoofing Passport Login (3, Interesting)

sfe_software (220870) | about 13 years ago | (#2126326)

The article mentions the possibility of one registering (note the missing 's') to fool users into giving their username/password to the wrong site. A much easier way would be to redirect the user to a URL like this: .com

Crafted to look like a legitimate Passport login URL before the '@'. Then, put a passport spoof site at Everything before the '@' is ignored, and the user will simply see a long URL in the address bar. The browser actually connects to

So it's much easier than the article describes to trick a user into providing credentials to the wrong site; all that is needed is an SSL cert, a copy of the Passport login screen, and a clever URL...

As the article notes, users won't check the cert (as long as it's valid and doesn't give a warning). They'll just type in their username and password. Even if they glance at the address bar, most users won't have any clue about the '@' trick, and if the URL is long enough they won't even see it.

Over all, I think the article makes a very good analisys of the problems in Passport (or really any central login system).

- Jman

Re:Spoofing Passport Login (1)

zunix (117687) | about 13 years ago | (#2116030)

I tried putting in my explorer URL line and got a passport error message. Namely: it didn't work.

Yeah? Well you shut up!

Fuck you spork_testicle. (-1, Troll)

Anonymous Coward | about 13 years ago | (#2126425)

I hate you, spork_testicle. Fuck you. f u c k y o u ff uu cc kk yy oo uu fff uuu ccc kkk yyy ooo uuu ffff uuuu cccc kkkk yyyy oooo uuuu fffff uuuuu ccccc kkkkk yyyyy ooooo uuuuu

Re:Fuck you spork_testicle. (0)

Anonymous Coward | about 13 years ago | (#2114624)


spork_testicle is a crap spewing mong, and he's homosexual too.

Re:Fuck you spork_testicle. (-1)

asbestos_diaper (456125) | about 13 years ago | (#2121098)

Who is spork_testicle, and why do you hate him?

The answer in three words: (0)

Anonymous Coward | about 13 years ago | (#2115558)

He's a retard.

-- Bruce.

Re:Fuck you spork_testicle. (0)

Anonymous Coward | about 13 years ago | (#2120987)

Hey Diaper! When's the Geekizoid coming back on line?

Sporky is a fuckwit, true. AC's still SUCK! (-1)

cyborg_monkey (150790) | about 13 years ago | (#2114880)

Hey your anonomyous piece of dung, go back to rooting throught your neighbors garbage looking for used tampons and condoms.

Someone got root access on GiZ and deleted everything. And I mean EVERYTHING. I was on a conference call this morning with Win Ho Lee, the guy that donated the hardware for GiZ. He was very scared and confused about the whole thing. It sounded like he might have been under his desk.

Anywho, the midgets are ok so go ahead and rest your tired scrotum on one.

Re:Sporky is a fuckwit, true. AC's still SUCK! (0)

Anonymous Coward | about 13 years ago | (#2114032)

Shut up you cunt. I mean really, shut the fuck up.

I'm bored... and I haven't finished abusing you yet... so I'm waiting for GiZ to come back up. Tell Vladinator to get off his fat ass and sort it. K?

Security Soup (2)

danheskett (178529) | about 13 years ago | (#2126833)

It seems to me that the attacks listed are the same old attacks that most any system is vulernable to:

1. Confusion: many systems can confuse the end user. Slashdot could be one. How do you I logout? Can someone copy my login cookie and be me? Yeah, probably. This isn't a particularly new attack, do you think?

2. Key Management is the same problem that Verisign/Thawte have been faced with for a long time. How can we sure that the user/merchant is who he says he is? Its hard, for sure.

3. Central Point of Attack is again, a very real problem, but an old one. Any central database will face this, no matter what. More than anything, this discredits centralized logins, and by default, Passport. On the other hand, every little merchant will be under far less scruntiny in terms of security thanks to the central database.
4. Socially Engineered Attacks on Javascript/Cookies go back as far as, well, cookies and javascript. They are indeed bad technologies for secure uses, and using them here was naive at best. But the paper does point out that Javascript is not required.

5. Trust attacks are of coure relevant. Passport requiers a trust in the merchant who joined the program. Not much different from SSL, really.

6. Man-in-middle, DNS, etc attacks are also present, of course. This point didnt make much sense to me. The identical attack is present today. If i replace someones DNS records with a new entry for slashdot, then i can socially engineer their slashdot username/password. Passport makes this threat bigger and more real, especially on a company network where a bad employee could engineer some bad things.

I think the paper was really a re-hash of existing problems, and existing attack methods. The main difference is that instead of one or two applying to passport, they ALL apply to passport.

Centralized authentication would be nice, but not for the risk. But for certain, this paper didn't expose any new or unknown about Passport.

Re:Security Soup (1)

2bStealthy (512402) | about 13 years ago | (#2112309)

Goto and in the product matrix click on Microsoft's wallet.

Real passports! (0, Funny)

Anonymous Coward | about 13 years ago | (#2126865)


I thought this article was about how to forge a real-life passport.

I sure would like to change my identity...

What coutry do you live in? (-) (0)

Anonymous Coward | about 13 years ago | (#2116313)


Re:What coutry do you live in? (-) (0)

Anonymous Coward | about 13 years ago | (#2111827)

In Finland.

I've got a name and a social security number (obligatory; every citizen gets one at birth and cannot opt-out) with which I can be formally identified.

If requested by the police on the street (even with no plausable reason) you have to be able to produce a proper ID or be taken to the station to allow them to identify you.

If I want to rent a video I have to give my social security number and show some ID.

If I want a library card I will have to show my ID.

If I want to open a bank account, I'll have to prove my identity.

If I use my bank card (not a credit card; only allows withdrawals if you've got the money on your account at the moment) to buy stuff in excess of $50 I'll have to show my ID and let them write down my SS#.

Finland may be the promised land of computer and information integration into the fabric of the society but this also has a drawbacks. Information about you gets easily collected into huge data banks and is usually accessed by your social security number.

You don't have to report your income, stock, loans or deductables to the Tax Office. In fact, you don't have to fill in your tax report at all. They already have all the information about your economy and they send you a pre-filled tax form which you can either correct and send to them or simply leave at it is.

I'm sick of leaving electronic trails everywhere I go.

Re:What coutry do you live in? (-) (0)

Anonymous Coward | about 13 years ago | (#2151888)

I'm asking because I live in Russia, where the situation is opposite. All official transactions leave you with printed evidence that you have to conserve. (Personally, it's your responsiblity.)

It gets quite silly sometimes; for example, when you buy something moderately expensive (say, a couch) they give you two recepts, one regular and one "official" with a seal and a signature. Same when you get your paycheck -- you have to sign a document both for yourself and for your employer.

Anyways, in Russia there's something called an "internal passport" -- it's a passport that serves as your definitive ID. Any official information about you (marital status, blood type, place of residence, etc.) is written into your "internal passport". On one hand, this is good because you pesonally control what is written into you passport. (Pretty much.) On the other hand, if you lose it, you're in trouble.

Re:What coutry do you live in? (-) (0)

Anonymous Coward | about 13 years ago | (#2115510)

Any official information about you (marital status, blood type, place of residence, etc.) is written into your "internal passport"

That's interesting.

I'd feel much more comfortable with printed evidence: a couple of copies stored by the officials in a safe place and another by myself.

What the hell?!?! (2, Offtopic)

James Foster (226728) | about 13 years ago | (#2127362)

"its not lame anti ms rhetoric"
Is this supposed to suggest that other MS articles that are posted to /. *ARE* "lame anti ms rhetoric"?
Oh yeah, and where the hell is the punctuation? Shouldn't it read "it's not lame, anti-MS rhetoric"?
I mean... thats 6 words... and somehow /. editors managed to fit in about 3 mistakes in 6 words?!?
/. isn't exactly renowned for it's editing, but this seems to be a new low.
The post also has nothing to do with the article, we're given very little info. Of course, now I know its not lame and that its "a good read", but I kinda expect that would be why it's posted.

Re:What the hell?!?!The post also has nothing to d (1)

anshil (302405) | about 13 years ago | (#2112211)

The post also has nothing to do with the article, we're given very little info. Of course, now I know its not lame and that its "a good read", but I kinda expect that would be why it's posted.

Actually this is a plus point, and exactly how they should do it. A news reporter should report, and not add his opinion to it.

Many news on /. are not *lame* anti ms rhetoric themselfs, but often times the submitters add they ""lame"" opinions to it, and many reply comments come from a feared view, so are FUD, from both sides.

I think most of the anti-ms FUDs actually hurt the OpenSource communitiy, as it looses seriousity through this. Through all the FUD avalanche the serious crimes weasel through unnoticed. In some degree some stories had their positive effect, like in example the canceled program where they tried to track people who buys pc without windows preinstalled. Constant watching and finger clapping seems to be necessary to trust bindly IS a failure, for both ms-product costumers and their competition. However we should take care to not spread pure FUD, but try to make serious stuff, and not to cry for everything, especially unprooven actions.

Yes, grammar errors make a bad impression on first sight, but actually this is just dealing superficially. I know my grammar is bad since I'm no native english speaker, and haven't yet learned better, so please spare my post from your corrections.

Re:What the hell?!?! (1)

p_trinli (463461) | about 13 years ago | (#2114298)

I honestly wonder how someone as... uhm, challenged, as Malda managed to start and run Slashdot in the first place. I say we have a new Poll:

Who should take over Slashdot?

  • Anonymous Coward
  • CowboyNeal
  • Hemos
  • timothy
  • Write-in (post it in a comment)
  • etc.

Re:What the hell?!?! (1, Troll)

Detritus (11846) | about 13 years ago | (#2115564)

There are a lot of lame articles on slashdot. Poor spelling, punctuation and grammar are the norm. Not to mention non-existent fact checking.

Remember, AMD and Linux are good, Intel and Microsoft are bad. Why think when the collective can do it for you?

Re:What the hell?!?! (0)

Anonymous Coward | about 13 years ago | (#2122723)

Grammarian usually has little to contribute to a discussion and possesses few effective weapons. To compensate, he will point out minor errors in spelling and grammar. Because of Grammarian's obvious weakness most Warriors ignore him.

Flame Warriors []

Re:What the hell?!?! (4, Informative)

ninjaz (1202) | about 13 years ago | (#2124769)

"its not lame anti ms rhetoric"

Is this supposed to suggest that other MS articles that are posted to /. *ARE* "lame anti ms rhetoric"?

It sounds to me like it means: "This is not the same punditry you've seen before bemoaning MS being the holder of all keys, it is a technical discussion of the protocol/service".

There was no mention of other Slashdot stories. I think it's assumed that Slashdot readers also consult various other sources of news and information (being that most of the stories are from reader submissions and all)

/. isn't exactly renowned for it's editing, but this seems to be a new low.

The post also has nothing to do with the article, we're given very little info.

Slashdot has never been about the editing. It's about geeks swapping info/opinions/war stories/etc about the news of the day.

If you want good editing, visit Linux Weekly News at [] . Or if you want to bash other people's editing, you can do that, and have the power to rate the story itself down, so it won't get posted, over at Kuro5hin - []

Re:What the hell?!?! (1)

cREW oNE (445594) | about 13 years ago | (#2125236)

But 99 out of 100 MS-related articles here on /., (there's your punctuation) *ARE* indeed lame and mostly untrue anti-MS articles.

Slashdot does a great job spreading FUD about MS and MS products. Slashdot cannot be regarded as a credible newssource for MS related stories. In fact, the amount of anti-MS FUD coming from slashdot has outgrown the amount of anti-OSS FUD coming from MS.

Re:What the hell?!?! (1)

DNS-and-BIND (461968) | about 13 years ago | (#2120764)

Hm, just looking at the front page now, there are 2 out of 2 articles that are uncomplimentary towards Microsoft, and rather true as well. The first concerns an insecure web server made by MS, and the other concerns MS's leveraging their monopoly to block third-party software that performs similar functions to MS's own software.

Slashdot cannot be regarded as a credible newssource for MS related stories.

(dripping with sarcasm) Oh, really? Did you just figure that out now, Brainiac?

Re:What the hell?!?! (1)

cREW oNE (445594) | about 13 years ago | (#2120153)

No. But the dude who wrote the article I replied to seems to think it is.

Re:What the hell?!?! (1)

James Foster (226728) | about 13 years ago | (#2115557)

I don't think it is.
But I do not see why it CAN'T be.
I just think that by putting "its not lame anti ms rhetoric" they seem to acknowledge that other MS articles posted on /. are unreliable. My point was that if they acknowledge this, why don't they do something about it?

Re:What the hell?!?! (1)

cREW oNE (445594) | about 13 years ago | (#2114037)

I don't know. Frankly, the editors that post the MS articles are making fools out of themselves. Slashdot these days seems more and more about posting negative MS articles, and less about "stuff that matters."

Re:What the hell?!?! (2)

dair (210) | about 13 years ago | (#2127047)

I mean thats 6 I know its not...that its "a good read"
You don't seem to be immune yourself - you've missed three apostrophes from thats, its, and another its.


Re:What the hell?!?! (1)

sydb (176695) | about 13 years ago | (#2120150)

"its" does not require apostrophes in any of its incarnations, possessive or abbreviative.

Check a grammar reference.

Re:What the hell?!?! (1)

Zombie (8332) | about 13 years ago | (#2114034)

michaelatwd21dotcodotukdotspamproof stated with hilarious arrogance:
"its" does not require apostrophes in any of its incarnations, possessive or abbreviative

Well, now we know what the British public school system is worth. It's useless!

Re:What the hell?!?! (2)

Gordonjcp (186804) | about 13 years ago | (#2122814)

You should come to Glasgow. They stick apostrophes everywhere, even on words that just happen to end in 's'.
Of course "shopkeeper apostrophes", where you put an apostrophe in a plural, is the favourite...

Re:What the hell?!?! (0)

hisholiness (32875) | about 13 years ago | (#2115556)

Well, Microsoft's Word XP grammar checker seems to think that "its" is possessive, while "it's" is an abbreviation of "it is."

That seems to jive with my grade school lessions on the subject.

"Go forth, my child, with Dog!"

Browser-based security model (5, Interesting)

Old Wolf (56093) | about 13 years ago | (#2127399)

I have some experience to draw on here. While developing an internet-based payment system [] , I had to evaluate various security scenarios. The payment system is a server (Apache+PHP :) with connections to a transaction switch which is connected to a bank; a Merchant shopping site will redirect a customer to the payment page, who will make their payment there, and return a success or failure flag to the Merchant. The Merchant will tally up cash with us or with the banks in their regular settlement.

The first scenario I decided on and implemented was the similar as what Passport is using, but with the 3DES-key optional (so that Merchants with poor web coders could still participate). For the rest of this discussion, I'll only refer to the version with the DES protection.

Also, being a payment system,there was only one ever call and one return with results -- not a login and logout process.

We found that by using various SSL, cookie methods, and so on, we could get around all security flaws, but the downside is that the Merchant has an awful lot of responsibilities, including:

  • Verifying, encrypting and decrypting the 3DES keys
  • Keeping its 3DES key secure...
  • ...which entails keeping its system totally secure from hacking
  • Implementing the rest of the protocol to communicate with the Passport etc. server via cookies
  • Generating cookies that work correctly in any version of any browser (even getting them to work correctly in one browser is a hassle!)
  • Detecting duplicate transactions (for example, J.Hacker does a valid purchase for $1; and records the connection, then comes back later, begins a purchase for $10000, and intercepts the connection and responds with the $1 packet)
and the list goes on. In the end I decided that while it was a security model that held together, and if I were coding for the Merchant I could do it correctly, but there are many Merchants that would simply fail to do it right, and either have it work buggily or insecurely, or not at all, and then blame the system (or the customers would blame the system).

It's easy to say "Well, they should do it right," but when you've been in the commercial world a while, you realise just how incompetent many companies are.

In the end, tired of patching up small hole after small hole and writing merchant integration documents, I changed my mind and chose an alternative scheme which may seem harder for Merchants at first, but in fact leaves them as little room for going wrong, even if the transactions run a little slower.

Conclusion? Hack just one of the merchants involved in Passport, grab their 3DES key, and you're in and untraceable (bar the merchant actually keeping valid authentication logs and being able to follow them; in which case the worst that could happen is that they change their 3DES key). The security will deter script kiddies but a hacker with serious skills will have a field day.

Windows users (2, Troll)

Cave Dweller (470644) | about 13 years ago | (#2127811)

"The bulk of Passport's flaws arise directly from its reliance on systems
that are either not trustworthy (such as HTTP referrals and the DNS) or assume
too much about user awareness (such as SSL). Another flaw arises out of
interactions with a particular browser (Netscape). Passport's attempt to
retrofit the complex process of single sign-on to fit the limitations of
existing browser technology leads to compromises that create real risks."

Do we really *need* Passport?

Re:Windows users (1)

Cave Dweller (470644) | about 13 years ago | (#2117129)

Grr, I messed up the subject :(
Not enough coffee today

Re: Do we really *need* Passport? (4, Interesting)

j-beda (85386) | about 13 years ago | (#2121100)

Do we really *need* Passport?

Probably not, but a secure single sign on would be nice, if the proper privacy and security issues can be addressed. I think that XNS [] has a chance of doing this type of thing better than any of the closed source alternatively like Passport.

Why not local machine database? (3, Interesting)

Nightlight3 (248096) | about 13 years ago | (#2114146)

Probably not, but a secure single sign on would be nice, if the proper privacy and security issues can be addressed.

It might "be nice," but for whom?

Why does this info need to be on an external machine at all (other than helping Microsoft or government bureaucrats)? A browser (or an add-on) could do all that with a locally encrypted database (which can be copied or synchronized with, say, your laptop) and you don't have to expose your personal info and browsing habits to some central agency to collect, track and correlate. It need not essentially be any different than the list of bookmarks bookmarks or email addresses we already use. If you have multiple machines, you copy your bookmarks or email address book to other machines.

The commonly parroted "Passport rationale" could be equally applied to browser bookmarks or email address book and, if it had any merit, we would already have our bookmark lists and email address books on the Microsoft servers to use as they wish. We don't keep them there. And the same will apply to the Passport scam.

So, could you explain, where is the gain for the user (not Microsoft or government bureaucrats) in keeping personal info on Microsoft servers, and how does that same reasoning fail to apply to your bookmarks or email address books.

Re:Why not local machine database? (1, Insightful)

Anonymous Coward | about 13 years ago | (#2126191)

The idea behind passport and a centralized approach is so that yourinformation is available EVERYWHERE. If you went to a place that has internet enabled kiosks and you wanted to access your information you would have to have synced it with this system. Using passport, or another system like this, the user doesn't have to worry about syncing at all.

Perhaps a better approach would be to create smart card tehcnology that holds this information. The biggest security risk here is losing your smart card, probably about as damaging as losing your credit card, perhaps more so, but it's realistically the only alternative. Syncing is not alternative becaus eit limits where your data can be accessed from.

Keep in mind that many of the systems Passport and Hailstorm, because the two are intrinsically intertwined, do not exist. Passport and Hailstorm could conceivably eveolve into smart card technology or PDA bsed systems that use IR or Bluetooth to communicate with each other. These two technoogies represents innovation and the future of computing systems. Let them flourish and see where they take us. Don't rip them out with the weeds because you don;t understand them.

Re: Do we really *need* Passport? (3, Insightful)

zerocool^ (112121) | about 13 years ago | (#2115559)

..if the proper privacy and security issues can be addressed.

The inherant problem with this technology, however, is that in order to have a secure, single sign on, somewhere there has to be a database, accessable to the internet in some fashion, which has the username, password, and private information of whoever wishes to use it. There's just no way to get around that. And no matter what platform this system is running, there will be never ending attempts to bring it down or r00t it.

Plus, i don't like the idea of my private information being the property of a corporation.


Re: Do we really *need* Passport? (3, Interesting)

jilles (20976) | about 13 years ago | (#2140821)

The situation without passport is even more insecure because:
- it relies on individual vendors to provide security for communication
- consumers trust these vendors to do so in most cases
- any vendor protocol is subject to the same security risks as passport
- most vendors are script kiddies rather than security experts (i.e. they are quite clueless about implementing proper security)

Any solution that improves the current situation is a step forward. That being said, the real issue is trust and I am a bit hesitant to trust a commercial company with privacy sensitive information (this is not anti MS, I wouldn't trust Red Hat with it either). The only way I could trust a passport server would be if it were protected by laws making every kind of abuse (including using the information for marketing purposes) illegal AND if it were maintained by an organization (preferably governmental) that has no interest in abusing this information. MS fails both requirements.

Interestingly, laws for the first requirement exist in some countries. It wouldn't surprise me if MS would run into legal trouble at some point for violating such privacy protecting laws.

Re:Windows users (0, Flamebait)

crazney (194622) | about 13 years ago | (#2127694)

we need passport as another example of how microsoft is abusing their monopoly (Read: hotmail, msn messenger, communities, etc) - and hopefully this will help then dig their own grave!

Re:Windows users (1)

halftrack (454203) | about 13 years ago | (#2126861)

we need passport as another example of how microsoft is abusing their monopoly (Read: hotmail, msn messenger, communities, etc)

I don't get this, they don't force us. Of all those things you mentioned I only use hotmail and that's because it's free, resonably reliable and doesn't care if I sign up as A.Nonymus from Yemen. I could just as well have used Yahoo!

Re:Windows users (2, Insightful)

crazney (194622) | about 13 years ago | (#2122011)

no, they dont "Force" us to use these things.. But, as passport grows and more sites use it, it will be almost impossible not to have a passport account. If you want to use service X you will have to sign up with microsoft.

The example of msn/communites was just from personal experience. I am unable to communicate with many of my friends over the net cause I refuse to sign up to passport - sure its my choice, but in my oppinion they are abusing their monopoly with this.
It will become worse when many other merchants are using passport.

Re:Windows users (2, Interesting)

danheskett (178529) | about 13 years ago | (#2115582)

Wait a minute, you made a choice!

Option A: Do not communicate with friends, try to convince them to use Jabber or something else, or call them on the phone.

OR Option B: Get a passport account and use MSN messenger.

Why is that monopolistic? If it were only A, then sure, I'd follow your logic.

If many merchants sign up with passport, your options will still be:

Option A: Choose a different merchant.

Option B: Get a passport account.

sure its my choice, but in my oppinion they are abusing their monopoly with this
How is that abuse of a monopoly? I dont follow your logic. You just said its your choice. Then you say they are forcing it on you. Those statements just don't mix.

Re:Windows users (0)

Anonymous Coward | about 13 years ago | (#2118891)

Your problem is that you won't accept software the consumers have voted for with their wallets.

If the passport grows and more sites start to use it, well... that's market economoy for you.

Re:Windows users (0)

Anonymous Coward | about 13 years ago | (#2122730)

Microsoft's not forcing people to use their products?

They do it by making it impossible for a third party software to interface properly with the MS crap! They close or obfuscate data structure and APIdocumentation.

I have to use W2K and Office at work because otherwise I wouldn't be able to work efficiently with my clients and co-workers cause they insist on using MS crap.

Watch the passport become highly popular and suddenly you have to sign on too because your client stores his information in .NET behind the passport identification.

Re:Windows users (1)

halftrack (454203) | about 13 years ago | (#2115963)

I have to use W2K and Office at work because otherwise I wouldn't be able to work efficiently with my clients and co-workers cause they insist on using MS crap.

Then let me help. One name; StarOffice. It supports all MS-Office formats, it's free and aviable on most platforms (including Windows.)

They do it by making it impossible for a third party software to interface properly with the MS crap! They close or obfuscate data structure and APIdocumentation.

Interaction with MS-crap isn't that useful. Let's say passport got a grip on most online banks, shops, stock traders etc. I find it hard to belive that they would substitute all login possibilities with passport. You would still have the possibility to create a username and password, they might even implement non-MS open-source alternatives. For instance; at least half of all /.'ers would not use passport and that's more than 200.000 heavy Internett users and online shoppers. Our opinions are infact heard by capitalistic powers, because we're pro free, open-source alternatives.

Re:Windows users (2)

the eric conspiracy (20178) | about 13 years ago | (#2114484)

StarOffice. It supports all MS-Office formats, it's free and aviable on most platforms (including Windows.)

I tried that. It doesn't reliebly open all MS-Documents,

Re:Windows users (0)

Anonymous Coward | about 13 years ago | (#2114964)

StarOffice. It supports all MS-Office formats

Tried it. It didn't open the Excel file my boss sent to me (lots of graphics and calculations).

Re:Windows users (1)

halftrack (454203) | about 13 years ago | (#2114514)

On rare occations it don't. (But it usually do) You still don't need Windows. You can even depend on Office without Windows. Just use Wine (Windows emulator) office works with it.

Now repeat after me 10 times; I don't need MS, I don't need Windows

Re:Windows users (1)

DNS-and-BIND (461968) | about 13 years ago | (#2113888)

Repeat after me 10 times...Wine Is Not an Emulator []


Re:Windows users (0)

Anonymous Coward | about 13 years ago | (#2114402)

Wine Is Not an Emulator

Then what the hell is it? An emulator?

Re:Windows users (0)

Anonymous Coward | about 13 years ago | (#2138716)

I don't need MS, I don't need Windows
I don't need MS, I don't need Windows
I don't need MS, I don't need Windows
I don't need MS, I don't need Windows
I don't need MS, I don't need Windows
I don't need MS, I don't need Windows
I don't need MS, I don't need Windows
I don't need MS, I don't need Windows
I don't need MS, I don't need Windows
I don't need MS, I don't need Windows

That felt good.

Re:Windows users (1)

Kenyaman (458662) | about 13 years ago | (#2126189)

Then let me help. One name; StarOffice. It supports all MS-Office formats, it's free and aviable on most platforms (including Windows.)

Er... not "hard" documents. Word documents with tables don't load right, for instance. Neither do Excel documents with graphics and things like cell protection. This was a huge issue when I was applying for a Linux job through a head hunter. I mentioned I didn't have access to Office and was informed, "I don't know how you can call yourself a professional if you don't have Office." I bailed on the headhunter (and am still looking for work, halfheartedly).

Re:Windows users (1, Troll)

F_Prefect (69773) | about 13 years ago | (#2123264)

I don't get this, they don't force us.

I don't know if you have read anything about Windows/Office XP. In order to get them to work for more than 30 days, you have to get a passport account. This is so that MS can get the info of what machine (not Processor ID #) but what type of processor, how much ram, type and size of HD's, etc. I will give MS one good statement, they can make an awesome licence agreement, just too bad that they can't make a decent OS.

Re:Windows users (1)

Kenyaman (458662) | about 13 years ago | (#2126176)

I *tried* to avoid upgrading to IE 5. I liked IE 4 and was happy with it and didn't want the extra bloat of IE 5.

I couldn't do it. Every time I turned around, something from Microsoft was installing IE 5 on my (wife's) machine (mine runs Linux and has endured over 200 infection attempts from the various Code Red variations ).

Re:Windows users (1)

Kierthos (225954) | about 13 years ago | (#2142329)

Same here. At one point I deleted IE 4 completely from my computer, hunting through every directory and deleting each little instance of the various hidden files, and so on. Went to using Netscape completely.

Three days later, I've got IE 5 wanting to download every time I visit half a dozen sites, half the files on my computer which should load fine under Netscape (and actually used to load fine until I nuked IE 4) have become 'broken' files, and my computer is GPF'ing every damn chance it gets because it can't find its little buddy IE.

Needless to say, it's on my computer right now, although I'm constantly trying to find ways not to use it, by continuely reminding it that it's not the damn default. (No matter how many times I do, it still is retarded and thinks it is. I'm obviously missing something important here, but the college NT admin couldn't help me either. But he has his hands full with people forcing disks in upside-down.)

The strange thing is, I wouldn't mind it nearly as much if it worked correctly and wasn't so damn bloated. Surely it's possible to build a bare-bones browser without all the damn bells and whistles. So why can't MS do it?


Re:Windows users (1)

2bStealthy (512402) | about 13 years ago | (#2127785)

CaveDweller, an embedded hardware would sure change that wouldn't it? That is what AOL has decided to do. "Within six months" they will launch an "authentication device" that is not tied to these weaknesses you've addressed. Passport is all about centralized control. It reminds me of the old PSTN that my Grandmother had when I was young. The phone would ring and the operator would say "call for the Johnson's." Since we were the Smith's we were supposed to hang up and not listen it. I think it was called a multi-party line. However, consumers and privacy groups advocated decentralizing and putting control into the hands of the user. The network was distributed. Another analogy was music. 80 years ago you could really only listen to music live or on the radio (which was live too). Artists really were poor! Users were controlled by the distributors (listen when we play it). That changed due to guys like Edison developing recording devices. A recording device put the distribution of listening/watching into the hands of the consumer. Guess what? The internet is doing the same thing. It has started out as centralized control just like these other two mediums. However, consumers are now tired of centralized control and their inability to control the distibution of content (or their personal info for that matter). P2P with a hardware-based authentication device will empower the consumer and remove the control from companies like Microsoft. Best Regards!

The biggest problem with Passport... (1)

Anonymous Brave Guy (457657) | about 13 years ago | (#2133885)

I don't think the biggest problem with Passport is technical. As far as I can see, none of the implementation issues raised by the article is necessarily insurmountable.

However, no matter how clever, reliable and secure Passport may be, and however many genuine, real-world problems a technology like this could solve, there is always going to be a significant voice against it just because of Microsoft's past behaviour, and the inherent suspicion some people are going to have of them because of it. Even if Passport is something of a success, a large number of people will always have their doubts (justified or not -- I offer no opinion on this).

Those doubts could seriously hinder its widespread acceptance, and hence reduce the point in having it in the first place. After all, even if someone sets up a competitive version, you probably wind up with a 'net where some sites authenticate using Passport, some use Competitor A, and so on. At that point, you need multiple log-ins again, and you're back to square one.

The alternative, I suppose, is that e-commerce sites and the like allow multiple authentication mechanisms, and their users can choose which to use. This, though, immediately raises questions about whether all sites will accept all authenticators, or only 90% of sites will accept 90% of authenticators. Look at the whole TLD mess for a prime example of what happens when you get "competition" in something where you really need everyone to agree.

For once, you almost need a single monopoly provider for this single sign-in idea to work. As soon as there is competition, the basic idea starts to fall apart. Of course, that restriction introduces all the drawbacks associated with any other monopoly. And that, IMHO, is the biggest problem with Passport.

Another problem (1)

j7953 (457666) | about 13 years ago | (#2139954)

There is another big security problem with a central logon service. If someone manages to get access to your Passport login information, he can use all Passport-using sites with your authentication, not just the sites for which you created the account.

If someone manages to get access to your webmail account, he can read your mail. This alone is bad, but if your webmail service is Hotmail, your webmail account is actually a Passport account. The attacker can now not only read your mail, he can also use your authentication for all kinds of other services that use Passport, even if you never intended to use your account for those services.

This isn't a big issue yet, because the attacker could just as well create his own account. Logging in with your identification on a site which you have not used yet usually doesn't make sense. But if Passport manages to become the authorative source of authentication (think of trusted realname indentification, digital signature services, etc.), this might become a real security problem.

Very average and somewhat deceptive report (2)

Vryl (31994) | about 13 years ago | (#2140602)

Most of the attacks in the report are agains 'single signon' systems and not confined to Passport.

A couple of things that passport does could be done better, but there will always be idiots and ignoramus's.

As the saying goes: "We can make it foolproof, but not bloody-fool proof"

Passport's biggest problems are that it is a single point of failure, and also that it tends to extend Microsoft's monopoly.

I am still waiting for xnsorg to deliver some source code, hopefully addressing both these issues.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>