Analysis of Passport Flaws

An anonymous reader sent us an excellent (and technical) paper describing problems with Passport its not lame anti ms rhetoric, its actually a well written technical assesment of security problems with the unified login that passport aims to achieve. This is a good read.

more MS insecurity

[DNS-and-BIND]

Passport's security model depends heavily on the Domain Name System

You know, this more than anything else in the article bothered me. I can see the next big wave of MS server vulnerabilities leading to the surreptitious replacement of HOSTS files on the target machine. For those not in the know, most computers are configured to consult a local database of hostname/IP pairs every time a domain name is resolved to a numeric IP address (this happens every time you need a name resolved, which happens very very frequently). This local file is always queried first; if the answer is not found (usually the case) a query is issued to the DNS server, which provides a response. However, adding extra entries to a Windows hosts file (redirecting, say, passport.com, or more insidiously, microsoft.com to a lookalike site run by the attacker) could be a serious vulnerability. In the case of passport.com, the attacker could gain personal information and credit card numbers, however if microsoft.com were to be redirected, an attacker could trick the user into downloading trojaned patches or other software.

The paper's authors list an email address as "{davek,rubin}@research.att.com". This address is invalid (501 Bad address syntax). Anyone know how to contact these people?

Juxtaposition with Code Red II

[astrashe]

The new variant of Code Red might turn out to be the most damaging worm yet launched. That's happening today, while I'm writing this. My DSL connection will be hit a couple of times, in all probability, as I type this up.

That has to be the context of any discussion of passport.

Even well designed security fails. For that reason, if single choke point that will plunge the world into chaos if security fails is a bad idea. Passport is a bad idea.

The most important flaw isn't in the protocol, or in the fact that it's built on insecure services. A well designed passport type system would still be flawed, because it would present a single point of failure.

The fact that they want to do this at all proves that they're not thinking about security first.

MS has a track record of doing dumb things security wise because their business models demand them. They wanted to tie word and visual basic together so they opened up the world to the threat of macro viruses. They wanted to tie email and office together, so they made email systems that would run programs embedded in documents automatically if someone sends it to a MS user via the email.

These are not obscure problems, and they're not difficult to predict. You don't need to be a security guru to realize that they're trouble. MS did it anyway, because it was in their interest to do it. It wasn't in their customer's interests.

Passport isn't in anyone's interest by MS's. It's a bad design because it's centralized, because all of the eggs are in one basket. Most people want privacy. Most people want their credit card information to be secure. Most people want to control the information they give to various sites -- they don't want it passed around in the background, in the name of convenience.

Apart from all of that, it has to be pointed out that the company that's building and marketing passport has the worst record in computer security on the planet. By that I mean that MS security holes have cost more money -- billions and billions of dollars -- than any other company's security problems. How long did it take them to close the outlook macrovirus hole? How long was it obvious to everyone that it was a bad idea, before they closed it? Years. Why? Because they put their business model above their customer's security interests. And they're doing the same thing here.

Passport is a horrible idea. And even if it was a good idea, these are the last guys who should be trusted to build it.

Re:Windows users

[crazney]

we need passport as another example of how microsoft is abusing their monopoly (Read: hotmail, msn messenger, communities, etc) - and hopefully this will help then dig their own grave!