Slashdot Mirror

← Back to Stories (view on slashdot.org)

Analysis of Passport Flaws

Posted by ryuzaki0 on from the something-to-think-about dept.

An anonymous reader sent us an excellent (and technical) paper describing problems with Passport its not lame anti ms rhetoric, its actually a well written technical assesment of security problems with the unified login that passport aims to achieve. This is a good read.

5 of 174 comments (clear)

  1. This entire discussion violates the DMCA by crovira · · Score: 5, Insightful

    And that was the point.

    Now you can't discuss the weaknesses you find in an open forum so they can be addressed. You can only discuss it illegally through encrypted e-mail with others who will exploit them.

    The DMCA was NOT an improvement.

    --
    MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
  2. Re: Do we really *need* Passport? by zerocool^ · · Score: 3, Insightful

    ..if the proper privacy and security issues can be addressed.

    The inherant problem with this technology, however, is that in order to have a secure, single sign on, somewhere there has to be a database, accessable to the internet in some fashion, which has the username, password, and private information of whoever wishes to use it. There's just no way to get around that. And no matter what platform this system is running, there will be never ending attempts to bring it down or r00t it.

    Plus, i don't like the idea of my private information being the property of a corporation.

    ~z

    --
    sig?
  3. We need an alternative by infiniti99 · · Score: 5, Insightful

    There's nothing particularly wrong with single-signon, just so as long it is done securely and the data of everyone on the planet isn't stored in one bank. Users are going to like the convience that Passport provides. Thus, we need a good alternative.

    I found this, which discusses a way of doing a Passport-like identification over Jabber, dubbed "Jident". Maybe this, or something like it, could be implemented as a proper open-source/distributed counter to Passport.

    Jabber is definitely what the world should be using instead of this new "Windows Messenger". Perhaps an alternative to Passport could be added/layered to it as well? Definitely check out that Jident page, especially the bottom where it lays out the pros and cons (and a neat scenario).

    Maybe something like this will be discussed at JabberCon.

    -Justin

  4. The Power of Passport... by Thomas+M+Hughes · · Score: 5, Insightful

    Well, my first question is really "Does anyone outside of Microsoft actually use passport for authentication?" Microsoft uses it a lot for MSN Messenger, Hotmail and all its other stuff, which isn't really bad (for Microsoft products that is). However, I have yet to see Passport used _outside_ of Microsoft.

    Then, assuming that other companies do begin to use Passport at a significant level (despite no one using it after months of its deployment), there then becomes the question "What happens when Microsoft denies companies access to passport authentication?" For example, what happens if a Hotmail competitor wishes to use Passport authentication for its web mail login? Clearly, Microsoft would be helping their competitor if they allowed it, and acting monopolistically if they don't. That does provide a small problem for Microsoft.

    Third is something that the article points out very early on about the very reason people need something like passport. To paraphrase, the article states that people dislike the idea of their online grocery store having access to their online stock trading when they use the same password. This problem doesn't go away with Passport, it is just enhanced. Now, instead of your grocery store having access to your stocks, Microsoft has access to both your grocery store and your stocks, without doing anything but being a middle man authenticator.

    But what am I saying? Microsoft is the good guy, who would never abuse its power. That's why its okay for Microsoft to use its powers to "innovate," just like its okay for the US to develop defensive systems that give it the power to launch nuclear weapons without fear of retaliation.

  5. Re:Hailstorm. by Malcontent · · Score: 3, Insightful

    The corporation is guilty and should be punished. The punishment for this ought to be dissolving of the corporation and seizure of it's assets. The executives are guilty because it was they who made the decisions and used the corporation to commit crimes they should be jailed. The shareholders are guilty because they did not restrain their corporation and did not exercize their duty monitor and influence their corporation. The executives were serving the shareholders after all. They will be punished when the assets of the corporation are seized and the value of their shares go to zero.

    Now maybe a small minded stupid fuck thinks that this is rich envy but that's because the idiot apparently thinks that all rich people commit crimes. Or maybe the moron is incapable of understanding that the legal system has already determined that these people acted in a criminal manner. Perhaps the dimwit thinks it's wrong to punish criminals who are rich because "they commit less crimes then any random 10,000 people" but I hope to god stupid shitheads like that never get in power. We in this country already let the Rich get away with murder.

    --

    War is necrophilia.