Slashdot Mirror
Analysis of Passport Flaws
An anonymous reader sent us an excellent (and technical) paper describing problems with Passport its not lame anti ms rhetoric, its actually a well written technical assesment of security problems with the unified login that passport aims to achieve. This is a good read.
Yes, but since the current system isn't centralized, a hacker can only crack one transaction or vendor at a time. With a centralized passport system, a hacker could crack one username/password and gain access to incredible amounts of information and purchasing power. Plus when the Passport servers are cracked (I think it's inevitable that they will be at some time, somehow) the consequences will be catastrophic.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
As has been pointed out, you can't have literal '/' or '?' in the username portion of the URL (that before the @)... I didn't realize this before, so it does make it a little more difficult.
Using %-encoding would work for hovering over the link, but not what's shown in the address bar of the browser after the link is clicked.
On another note, something else the article mentioned was DNS spoofing. One quick way to do that would be to sign up at some large ISP to host "passport.com", and hope that the signup process is automated. Then, for users of that ISP (or rather for users of their name servers), passport.com would resolve to your webserver, assuming that ISP uses the same DNS servers for both authoritive and non-authoritive requests.
Of course, this would be difficult to pull off, but I'm sure with some creative thinking it could be done. I've seen domains resolve to the wrong host many times due to similar tricks (intentional or otherwise). We once had "firefly.com" (coincidently an MS-owned domain) in our DNS thanks to automated signups for domain hosting; luckily, we only served authoritive requests (we were a webhost, not an ISP).
- Jman
NGWave - Fast Sound Editor for Windows
ObNote: Social Security Numbers were not originally intended to be used for identification purposes. If you find an old enough Social Security Card, it will even say that on it.
Now, personally, I don't want an 'internet' that makes me use Passport if I want to access certain sites. Sure, if I'm accessing various MS supported sites, I can understand it being there, but I still don't like it. What I can't stand is the MS attitude of making their products 'required' and shutting out everyone else. Sure, some people might just call it good business sense on the part of MS, but let's face it, with as much market share for OS's that they have, it's just another continuation of monopolistic practices.
"Where shall we let you go today?"
Kierthos
Mr. Hu is not a ninja.
He forgot to point out that Passport can only work as long as the Open Source community is willing to pay the domain registration renewal fees for Microsoft's domains.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
The article does a good job of articulating specific issues with the Microsoft's Passport system. Other people have suggested that we should perhaps look to XNS or other open source single signon systems. However, I believe they are missing an important piece.
Yes, that's right. What good is a strong single signon system that auto authenticates distributed sites, when the single signon itself may be weak? How much will 3DES encryption protect you when your password is "Swordfish"? You may recall the slashdot article that discussed how the average person tends to do a poor job of picking a secure password.
Fundamentally, Microsoft's passport or any other single signon system is as weak as their weakest link. Which, in many, cases appears to be the original signon authentication. I don't see them really catching on until that problem is better addressed.
These systems will have a much better chance when biometric authenticators become ubiquitous. Then hackers will have a much harder time impersonating you at the single signon.
However, no single signon system is perfect and the world is going to get a whole lot nastier when biometrics arrives en masse. Someday, we'll wax nostalgic about happier times when hackers only attacked computers and didn't pull out your eyeball to break into your bank account. I just saw Demolition Man recently in which Wesley Snipes does a very nice job of faking out a retina scanner with this method - truly gruesome.
Bah, none of these single signon systems for me. I'll just stick with my secure method of appending the site url to "password". Even if someone compromises one password, they won't know the rest!
Comment removed based on user account deletion
I don't think that's true. There is a redirect through Passport for every site the user visits, and both the grocery store and the online stock broker has registered its own key with Passport.
You can only use a cookie set by Passport for one single site, and the grocery store can't use the authentication token you used to access its site to impersonate you at your online stock trader, because that token has to be encrypted in the stock trader's key (which the grocery store doesn't have).
That said, you make a valid point too: what you get in return for locking your grocer out of your stock account is the little fact that Microsoft is now able to access all your accounts. Because they have all the keys.
It might "be nice," but for whom?
Why does this info need to be on an external machine at all (other than helping Microsoft or government bureaucrats)? A browser (or an add-on) could do all that with a locally encrypted database (which can be copied or synchronized with, say, your laptop) and you don't have to expose your personal info and browsing habits to some central agency to collect, track and correlate. It need not essentially be any different than the list of bookmarks bookmarks or email addresses we already use. If you have multiple machines, you copy your bookmarks or email address book to other machines.
The commonly parroted "Passport rationale" could be equally applied to browser bookmarks or email address book and, if it had any merit, we would already have our bookmark lists and email address books on the Microsoft servers to use as they wish. We don't keep them there. And the same will apply to the Passport scam.
So, could you explain, where is the gain for the user (not Microsoft or government bureaucrats) in keeping personal info on Microsoft servers, and how does that same reasoning fail to apply to your bookmarks or email address books.
StarOffice. It supports all MS-Office formats, it's free and aviable on most platforms (including Windows.)
I tried that. It doesn't reliebly open all MS-Documents,
And that was the point.
Now you can't discuss the weaknesses you find in an open forum so they can be addressed. You can only discuss it illegally through encrypted e-mail with others who will exploit them.
The DMCA was NOT an improvement.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
its going to be an article aimed at technically au fait readers when the authors' emails are given as {davek,rubin}@research.att.com with no further comment on what this means...
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
So, they had been aware of the flaw, but did nothing about it untill it was publicly known? Call me paranoid, but how about this: Exploits are OK as long as they are known only to Microsoft people? Are they leaving some easter eggs so that a bunch of MS employees can gain access to other people's information and money?
It's bad enough that so many untrustworthy commerce sites are out there, running broken versions of MS web servers. Now we are supposed to have microshit as a "trusted" third party for all our commerce and authentication. No way Jose. My webshoppin days est fini. I'll be usng the phone from now on.
-- Another senseless waste of fine bytes.
..if the proper privacy and security issues can be addressed.
The inherant problem with this technology, however, is that in order to have a secure, single sign on, somewhere there has to be a database, accessable to the internet in some fashion, which has the username, password, and private information of whoever wishes to use it. There's just no way to get around that. And no matter what platform this system is running, there will be never ending attempts to bring it down or r00t it.
Plus, i don't like the idea of my private information being the property of a corporation.
~z
sig?
Comment removed based on user account deletion
There's nothing particularly wrong with single-signon, just so as long it is done securely and the data of everyone on the planet isn't stored in one bank. Users are going to like the convience that Passport provides. Thus, we need a good alternative.
I found this, which discusses a way of doing a Passport-like identification over Jabber, dubbed "Jident". Maybe this, or something like it, could be implemented as a proper open-source/distributed counter to Passport.
Jabber is definitely what the world should be using instead of this new "Windows Messenger". Perhaps an alternative to Passport could be added/layered to it as well? Definitely check out that Jident page, especially the bottom where it lays out the pros and cons (and a neat scenario).
Maybe something like this will be discussed at JabberCon.
-Justin
Many people agree that this is the start of Microsoft's goal of "collecting a toll on every transaction on the internet". As others have suggested, upcoming versions of MS server software will make it easier and easier to use Passport when building web services. At the same time, they will make it harder not to use it... Adding more hoops to go through to set up something else... Like how they are removing Java from XP: one more hoop to to through to run Java.
As you can see, any security flaws in Passport could become a huge problem. Couple this with things like Sircam and CodeRed worm, and you have something that could drain bank accounts and do stock trades for you.
-- these are only opinions and they might not be mine.
How would this be used for authentication? I generate an instance of a hard problem, P, along with a claim, C, which I only I can prove. I publish (P,C) as a type of public key. If I want to prove to slashdot or Hotmail that I am me, I use a ZKP to prove C thus authenticating myself. Since I used a ZKP, even though slashdot now knows C is true, slashdot doesn't know how to prove C itself. So slashdot can't pretend to be me when talking to Hotmail (unless slashdot can factor or solve my chosen hard problem).
Some benefits of using a ZKP include:
So my question is why doesn't MS use a zero-knowledeg protocol to implement passport? Is this type of idea patented, or are there are other issues such as security, speed, etc.? I'm not trying to bash MS since I know that they have some pretty smart people there I'm just trying to find out why they didn't use ZKP.
I suspect the answer is because a ZKP based system would probably be easy to clone by open source people or other companies. On the other hand, passport seems to give them significant business advantages at the cost of security, interoperability, elegance, etc.
This is a bit unusual; most of Microsoft's various 'innovations' are renowned for their user interface, and here we have the interface acting as a potential security flaw.
Who wants to place bets on how long it will take before somebody starts harvesting ID's from the local libraries?
its = possesive (i.e., belong to it)
...it's not lame anti ms rhetoric, it's
it's = contraction, for "it is".
So:
actually a well written...
Geez. Hire a high school student to proofread or something.
Probably not, but a secure single sign on would be nice, if the proper privacy and security issues can be addressed. I think that XNS has a chance of doing this type of thing better than any of the closed source alternatively like Passport.
no, they dont "Force" us to use these things.. But, as passport grows and more sites use it, it will be almost impossible not to have a passport account. If you want to use service X you will have to sign up with microsoft.
The example of msn/communites was just from personal experience. I am unable to communicate with many of my friends over the net cause I refuse to sign up to passport - sure its my choice, but in my oppinion they are abusing their monopoly with this.
It will become worse when many other merchants are using passport.
stuff
Well, my first question is really "Does anyone outside of Microsoft actually use passport for authentication?" Microsoft uses it a lot for MSN Messenger, Hotmail and all its other stuff, which isn't really bad (for Microsoft products that is). However, I have yet to see Passport used _outside_ of Microsoft.
Then, assuming that other companies do begin to use Passport at a significant level (despite no one using it after months of its deployment), there then becomes the question "What happens when Microsoft denies companies access to passport authentication?" For example, what happens if a Hotmail competitor wishes to use Passport authentication for its web mail login? Clearly, Microsoft would be helping their competitor if they allowed it, and acting monopolistically if they don't. That does provide a small problem for Microsoft.
Third is something that the article points out very early on about the very reason people need something like passport. To paraphrase, the article states that people dislike the idea of their online grocery store having access to their online stock trading when they use the same password. This problem doesn't go away with Passport, it is just enhanced. Now, instead of your grocery store having access to your stocks, Microsoft has access to both your grocery store and your stocks, without doing anything but being a middle man authenticator.
But what am I saying? Microsoft is the good guy, who would never abuse its power. That's why its okay for Microsoft to use its powers to "innovate," just like its okay for the US to develop defensive systems that give it the power to launch nuclear weapons without fear of retaliation.
You should come to Glasgow. They stick apostrophes everywhere, even on words that just happen to end in 's'.
Of course "shopkeeper apostrophes", where you put an apostrophe in a plural, is the favourite...
I think that XNS has a chance of doing this type of thing better than any of the closed source alternatively like Passport.
/.ers just accept that on faith? Sure, many great things have come out of open source, but that does not automatically qualify everything stamped with GPL/BSD/licence-du-jour or appears to have a transparent process as a Good Thing, just as not every thing published by the big-bad-company is a Bad Thing.
Holy fsck is that ever ignorant!
Why are open-sourced foo always better than closed-sourced or company-owned foo? And why do most
As it stands now, Passport exists, appears to be scalable, and works most of the time, which is a lot more than I can say for XNS. And yes, Passport has problems right now and will have problems in the future, as will XNS. It's a part of the development process which can't be avoided but at least Passport is out there now, being used, attacked, and debugged, before it or anything else becomes somewhat of a universal standard when real $$ is at stake.
And given the choice of who to fix an emergent security concern in their respective systems, would you trust the well-intentioned staff of XNS, who are either very knowledgable but potentially few and far between (cf recent slashdot and K5 outages), or somewhat knowledgable and found in abundance; or Passport, staffed 24x7 by an army of people who at least know what they are doing and are eventually liable to shareholders and business partners who have multi$billions to throw around (or not)?
XNS and anything else that comes along will necessarily have to learn from the mistakes made by Passport now, and I don't think that's a Bad Thing. As it stands right now, the afore-mentioned army of developers _who evolved the current system over 5+ years and must listen and respond to customer and partner concerns or lose business measured by six or seven zeros on a daily basis_ aren't getting it entirely right, so why would I think that an emergent cadre of excellent but not-entirely-devoted developers with comparatively zero funding can _build and maintain_ what amounts to a public infrastructure (something which doesn't lend itself well to being maintained by an entity, staffed by few enough people that they can all be killed in one incident, and without real-world liability for failure) to serve billions of people world-wide? I don't.
</rant>
There are 1.1... kinds of people.
It sounds to me like it means: "This is not the same punditry you've seen before bemoaning MS being the holder of all keys, it is a technical discussion of the protocol/service".
There was no mention of other Slashdot stories. I think it's assumed that Slashdot readers also consult various other sources of news and information (being that most of the stories are from reader submissions and all)
Slashdot has never been about the editing. It's about geeks swapping info/opinions/war stories/etc about the news of the day.
If you want good editing, visit Linux Weekly News at http://www.lwn.net/. Or if you want to bash other people's editing, you can do that, and have the power to rate the story itself down, so it won't get posted, over at Kuro5hin - http://www.kuro5hin.org/
It seems likely that some if not a lot of people are going to use the passport service outside of hotmail. It seems likely that some or a lot of them are going to regret it. While I don't wish those people any harm, they could be well the ones who bring this latest Microsoft ruse to a speedy end.
No, your children are not the special ones. Nor are your pets.
The article mentions the possibility of one registering pasport.com (note the missing 's') to fool users into giving their username/password to the wrong site. A much easier way would be to redirect the user to a URL like this:
r .com
https://www.passport.com/very/long/path@evilhacke
Crafted to look like a legitimate Passport login URL before the '@'. Then, put a passport spoof site at evilhacker.com. Everything before the '@' is ignored, and the user will simply see a long passport.com URL in the address bar. The browser actually connects to evilhacker.com.
So it's much easier than the article describes to trick a user into providing credentials to the wrong site; all that is needed is an SSL cert, a copy of the Passport login screen, and a clever URL...
As the article notes, users won't check the cert (as long as it's valid and doesn't give a warning). They'll just type in their username and password. Even if they glance at the address bar, most users won't have any clue about the '@' trick, and if the URL is long enough they won't even see it.
Over all, I think the article makes a very good analisys of the problems in Passport (or really any central login system).
- Jman
NGWave - Fast Sound Editor for Windows
Comment removed based on user account deletion
-dair
I disagree.
The only shame is that the problems were pointed out this early before Passport is in widespread use.
Just imagine the PR for MS that could have resulted.
I'll see your senator, and I'll raise you two judges.
"its not lame anti ms rhetoric" /. *ARE* "lame anti ms rhetoric"?
/. editors managed to fit in about 3 mistakes in 6 words?!?
Is this supposed to suggest that other MS articles that are posted to
Oh yeah, and where the hell is the punctuation? Shouldn't it read "it's not lame, anti-MS rhetoric"?
I mean... thats 6 words... and somehow
/. isn't exactly renowned for it's editing, but this seems to be a new low.
The post also has nothing to do with the article, we're given very little info. Of course, now I know its not lame and that its "a good read", but I kinda expect that would be why it's posted.
The first scenario I decided on and implemented was the similar as what Passport is using, but with the 3DES-key optional (so that Merchants with poor web coders could still participate). For the rest of this discussion, I'll only refer to the version with the DES protection.
Also, being a payment system,there was only one ever call and one return with results -- not a login and logout process.
We found that by using various SSL, cookie methods, and so on, we could get around all security flaws, but the downside is that the Merchant has an awful lot of responsibilities, including:
- Verifying, encrypting and decrypting the 3DES keys
- Keeping its 3DES key secure...
- ...which entails keeping its system totally secure from hacking
- Implementing the rest of the protocol to communicate with the Passport etc. server via cookies
- Generating cookies that work correctly in any version of any browser (even getting them to work correctly in one browser is a hassle!)
- Detecting duplicate transactions (for example, J.Hacker does a valid purchase for $1; and records the connection, then comes back later, begins a purchase for $10000, and intercepts the connection and responds with the $1 packet)
and the list goes on. In the end I decided that while it was a security model that held together, and if I were coding for the Merchant I could do it correctly, but there are many Merchants that would simply fail to do it right, and either have it work buggily or insecurely, or not at all, and then blame the system (or the customers would blame the system).It's easy to say "Well, they should do it right," but when you've been in the commercial world a while, you realise just how incompetent many companies are.
In the end, tired of patching up small hole after small hole and writing merchant integration documents, I changed my mind and chose an alternative scheme which may seem harder for Merchants at first, but in fact leaves them as little room for going wrong, even if the transactions run a little slower.
Conclusion? Hack just one of the merchants involved in Passport, grab their 3DES key, and you're in and untraceable (bar the merchant actually keeping valid authentication logs and being able to follow them; in which case the worst that could happen is that they change their 3DES key). The security will deter script kiddies but a hacker with serious skills will have a field day.
"The bulk of Passport's flaws arise directly from its reliance on systems
that are either not trustworthy (such as HTTP referrals and the DNS) or assume
too much about user awareness (such as SSL). Another flaw arises out of
interactions with a particular browser (Netscape). Passport's attempt to
retrofit the complex process of single sign-on to fit the limitations of
existing browser technology leads to compromises that create real risks."
Do we really *need* Passport?
It would be even nicer if the most popular desktop environment were reasonably secure so that we couldn't easily list attacks that start there -- corrupted hosts file, cookie harvesting, keystroke capture...
A couple of things that passport does could be done better, but there will always be idiots and ignoramus's.
As the saying goes: "We can make it foolproof, but not bloody-fool proof"
Passport's biggest problems are that it is a single point of failure, and also that it tends to extend Microsoft's monopoly.
I am still waiting for xnsorg to deliver some source code, hopefully addressing both these issues.
The situation without passport is even more insecure because:
- it relies on individual vendors to provide security for communication
- consumers trust these vendors to do so in most cases
- any vendor protocol is subject to the same security risks as passport
- most vendors are script kiddies rather than security experts (i.e. they are quite clueless about implementing proper security)
Any solution that improves the current situation is a step forward. That being said, the real issue is trust and I am a bit hesitant to trust a commercial company with privacy sensitive information (this is not anti MS, I wouldn't trust Red Hat with it either). The only way I could trust a passport server would be if it were protected by laws making every kind of abuse (including using the information for marketing purposes) illegal AND if it were maintained by an organization (preferably governmental) that has no interest in abusing this information. MS fails both requirements.
Interestingly, laws for the first requirement exist in some countries. It wouldn't surprise me if MS would run into legal trouble at some point for violating such privacy protecting laws.
Jilles
>
> You know, this more than anything else in the article bothered me. I can see the next big wave of MS server vulnerabilities leading to the surreptitious replacement of HOSTS files on the target machine.
I can see that, but I can also see a wave of cookie-harvesting attempts. If the expiry dates on the persistent cookies used as authentication tokens is long enough (as it presumably must be, or the user would have to log in again every day), a worm that .ZIPs up a user's cookies and "phones home" by emailing the cookies to a set of randomly-pregenerated Yahoo (or for irony's sake, Hotmail) accounts, by filling out a web form (as, for instance, an AC posting to /. in a user-created forum), maybe even to an abandoned newsgroup, with bonus points for doing the USENET post through an open SOCKS proxy.
Either option is possible - the HOSTS file approach would be readily-detectable, though, and easily fixed. Whoever set up the site to which the h4x0red HOSTS file pointed would also be the obvious target for investigation. The cookie-harvesting approach would offer similar ease-of-coding for the k1dd13z, but depending on the mechanism chosen for "phoning home" (and the options available to the attacker for retrieving the messages containing the cookies, including anonymizing proxies), near-total anonymity.
As currently implemented, Passport and .NET are disasters waiting to happen, and I will entrust no confidential data with them. If my bank or broker requires their use, I will take my business elsewhere, or regress to doing my business over the phone or in meatspace.
Passport seems to me like an attempt to centralize a service because it is highly profitable for the service provider to do so, not because it makes sense. (AOL IM is another example.)
I'll agree with people that this paper is much more than your average MS-bashing that we experience here at Slashdot. It's good to see that the authors had done the technical research and had the evidence to back up their claims. It also had some interesting points that I though I'd might mention here:
In conclusion, you can say what you like about Microsoft, but unless you have evidence to back it up, you won't have much credibility. At least these people did their homework.
----------
When the pin is pulled, Mr. Grenade is no longer our friend.
The arrest of Avi Rubin would get a lot more attention and reaction from the serious research/tech community than the Skylarov case is producing.