Slashdot Mirror
Microsoft Defends Passport To Privacy Group
securitas writes: "CNET reports that Microsoft is defending Passport as safe and secure in a presentation to the Center for Democracy and Technology. Other organizations such as the Electronic Privacy Information Center, Junkbusters and even the U.S. government may be lobbied by MS this week to fend off a Federal Trade Commission complaint filed by 15 consumer and privacy groups that charges unfair and deceptive practices."
This says it all:
"One of Passport's greatest security weaknesses may be the single sign-on process, analysts said. The single point of entry could also be a single point of failure. Since the ID is always an e-mail address, someone looking to break into an account might easily obtain half the information needed to do so."
Because people usually don't pick very secure passwords, it's better to have multiple passwords so that an evesdropper or other malicious person can't crack into all yur accounts. U of I just made people intentionally set all their 3 or 4 passwords instead of just giving them one the applied to all 4 (although most people tend to choose the same password for all their online services anyway)
Also, because Passport's trying to incorporate a lot of information in one place that used to be distrubuted in many different places, if some one hacks into Passport, there goes all your privacy.
F-bacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
Just last month, Microsoft changed the service agreement for their passport system to require only an email address and password to sign up. Did Microsoft do this without any armtwisting? No. Did they do it, though? Yes.
Just keep the pressure on them up. They're going to go ahead with some sort of service no matter what, but the amount of opposition they face now will determine how many of these concessions will be made "voluntarily". That way, even if the FTC doesn't come down with a favorable ruling, we won't be completely left out in the cold.
Incidentally, msnbc also has some coverage. A disinterested and impartial news source if there ever were one... or not, as it were.
If you have a look at the passport SDK, you'll see that the affiliated sites don't have direct access to any of the user's data.
A site that wants to use Passport for SSO generates an URL that redirects to the passport website. Then the user logs in, and passport redirects back to the original site. The original site can then access the authenticated username, but that's it.
When the site wants to get some data from the user, say the user's age or address, they don't query passport directly. What they do is redirect back to passport, passport generates a form with the values prefilled in. Then the user can edit those values, or just click submit, and the values are posted back to the original site.
So as a user you still get full control over what data a site you visit has. And you can tell a particular site info that is different to what is stored in passport. But it does save you typing in the same old boring gumpf into site after site.
For those that are interested here are links to the:
Passport EULA
Passport Privacy Policy
When the site wants to get some data from the user, say the user's age or address, they don't query passport directly. What they do is redirect back to passport, passport generates a form with the values prefilled in. Then the user can edit those values, or just click submit, and the values are posted back to the original site.
Or you can just use the very cool (and free) RoboForm which sits in your toolbar and auto-fills forms that pop up in your browser (there are other form-fillers around but I haven't tried them).
This kind of software doesn't require you to submit your personal information to a centralised authority (it's stored on your PC), and you can keep multiple 'identities' and choose which to use to fill in a form. I keep 'complete', 'partial', and 'anonymous' identities which I use to decide how much (and how truthful) information I want to give to a site.
So far, I have not heard of any password being compromised due to Hotmail's security problems (you can only read mail, but the password is not revealed because of this).
Of course, hackers can still use the old password guessing trick or social-engineering techniques, but this is not Passport's problem, nor Hotmail's.
¦ ©® ±
This report provides a decent description of Passport's technical architecture and some of it's potential issues, and links to other referances.
While it does confirm your statement that you can tailor and select what information you send from the "wallet" MS keeps for you, there are still problems. For one thing when you sign into Passport this is noted by use of encrypted (3 DES) cookies stored on your browser. The intent here is that you only need sign in once and all kinds of sites will be able to authenticate you. This part of the procedure happens transparently once you've signed into Passport.
The vulnerability here should be obvious, if you don't at some point logout from Passport, then the next person who opens the browser will be recognized as you anywhere that uses Passport authentication. Furthermore those neatly prefilled out forms will then contain all your information which this imposter could simply read off. Of course, the cookies are set to expire after a while, but certainly that is a matter of hours if not days, since MS doesn't want to interrupt people and force them to relogin.
This is only one of a number of problems and potential attacks outlined in the site I linked above. Good stuff, I suggest you check it out.
So now on, forgetting to logout will be an internet wide catastrophe as opposed to a localized problem? Thank you, MS.
There's a fundamental dichotomy forming here as to how to handle personal information. It is being driven by the need/desire to be able to access your personal information wherever you are. Microsoft wants to centralise your information*, via Passport, .NET etc, so that all your data is all in one place that you can always access. That's nice, but worrying from a security point of view.
The alternative way of doing things is a distributed model. With PDAs becoming more widespread, and more powerful it won't be long before you can store most or all of your personal data/files on a single small portable device. Now, providing some decent interfaces are written, this offers the same ease of accessibility as Microsotfs centralised solution, with the benefit of increased security - YOU are responsible for YOUR OWN data.
I know which I prefer. I'll always trust my own abilities to secure my own data more than I trust Microsoft to secure it for me.
Roll on with the distributed model I say!
* By information/data I'm not just talking about street address, credit card number etc., I'm talking about all your work/code/data/etc.
Jedidiah
...unless they specifically address the bullying issues they have towards the consumer.
I used to have a Hotmail account, for several years (even before they were bought by MS). I was only logging in every 3-4 months, mostly to keep it active, because it wasn't my main email address.
One day I found in it a message informing me that I had been automatically issued a passport. Without my consent. They had just taken the info in my hotmail registration and created a passport for me, without asking my permission. I got very angry, and asked that the "passport" be removed, because I didn't want it. The reply was "it cannot be removed, once you got one, you're stuck with it forever". It seems that, by logging into my hotmail account after they had sent me the info, I had "automatically given them permission to activate the passport". But nowhere on the login page was there any information about this!
I eventually let the hotmail account expire, but AFAIK the passport account they crammed down my throat is still there. There is no option to delete it.
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
When you sign-in to Passport there are two checkboxes...
One says 'Sign me on Automatically'. If you check this, a cookie is stored that remembers to authenticate you from then on.
If you don't check this box(which is the default condition), then a cookie is created and stored which remembers your username. But the authentication information is stored as a session cookie which disappears when you close the browser.
There is a second checkbox. It says 'I'm using a public computer'. This stores a session cookie on your machine for both the username and authentication.
Once you have closed the browser, the session cookie is gone and you no longer authenticate automatically, nor is your username auto entered for you.
So while I understand your concern, Microsoft has provided two checkboxes which alleviate this concern. Neither checkbox is on by default which means the default behavior is to remember your username only.
If you have a better solution to this problem, I'm sure we'd all appreciate hearing about it.
BTW, the paper you linked to has much better explanations of problems Passport might have then what you wrote about. Man in the middle type attacks that involve redirecting DNS, etc.
I've seen a lot of posts bashing on Micosoft. I don't like passport not because I don't like everything from Microsoft, but Microsoft PR tends to boast passport system's security level in such a way that general public wouldn't aware of its risks.
(of course, the fact that these people are unaccountable is one of the major factor; but this just FUD in some people's eyes)
The amount of your personal information to give to passport system depends on the degree of trust you have on a username/password security system over the Internet.
I think Passport is secure to some degree, but it's definitely not absolute secure(nothing is). However, I never hear a Microsoft PR would say 'but' in propaganding their passport system.
E.g. when I apply for a personal certificate I was given a time limit for using it. Not because the certificate issuer is a greedy bastard, but they want me to know the encryption in it can be broken by known technology beyond this period(by brute force attack, computer tech advanced, etc.).
Computer security is not absolute. The claims of its security level is part of the security system itself. No matter how well the Passport system is made, failure to give honest claim would render its useless.
Just my opinion. You can start bashing me by clicking the reply below. Thanks.
You know, having been tested is not enough. What you need is something that has been tested with positive results.
This sig under construction. Please check back later.