Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Defends Passport To Privacy Group

Posted by timothy on from the just-look-at-that-shine dept.

securitas writes: "CNET reports that Microsoft is defending Passport as safe and secure in a presentation to the Center for Democracy and Technology. Other organizations such as the Electronic Privacy Information Center, Junkbusters and even the U.S. government may be lobbied by MS this week to fend off a Federal Trade Commission complaint filed by 15 consumer and privacy groups that charges unfair and deceptive practices."

7 of 250 comments (clear)

  1. One password, multiple accounts, low security by Ghoser777 · · Score: 4, Informative

    This says it all:

    "One of Passport's greatest security weaknesses may be the single sign-on process, analysts said. The single point of entry could also be a single point of failure. Since the ID is always an e-mail address, someone looking to break into an account might easily obtain half the information needed to do so."

    Because people usually don't pick very secure passwords, it's better to have multiple passwords so that an evesdropper or other malicious person can't crack into all yur accounts. U of I just made people intentionally set all their 3 or 4 passwords instead of just giving them one the applied to all 4 (although most people tend to choose the same password for all their online services anyway)

    Also, because Passport's trying to incorporate a lot of information in one place that used to be distrubuted in many different places, if some one hacks into Passport, there goes all your privacy.

    F-bacher

    --
    James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
  2. Well, they *have* made concessions before by alewando · · Score: 5, Informative

    Just last month, Microsoft changed the service agreement for their passport system to require only an email address and password to sign up. Did Microsoft do this without any armtwisting? No. Did they do it, though? Yes.

    Just keep the pressure on them up. They're going to go ahead with some sort of service no matter what, but the amount of opposition they face now will determine how many of these concessions will be made "voluntarily". That way, even if the FTC doesn't come down with a favorable ruling, we won't be completely left out in the cold.

    Incidentally, msnbc also has some coverage. A disinterested and impartial news source if there ever were one... or not, as it were.

  3. Re:security and privacy a difficult issue by jonnosan · · Score: 5, Informative

    If you have a look at the passport SDK, you'll see that the affiliated sites don't have direct access to any of the user's data.

    A site that wants to use Passport for SSO generates an URL that redirects to the passport website. Then the user logs in, and passport redirects back to the original site. The original site can then access the authenticated username, but that's it.

    When the site wants to get some data from the user, say the user's age or address, they don't query passport directly. What they do is redirect back to passport, passport generates a form with the values prefilled in. Then the user can edit those values, or just click submit, and the values are posted back to the original site.

    So as a user you still get full control over what data a site you visit has. And you can tell a particular site info that is different to what is stored in passport. But it does save you typing in the same old boring gumpf into site after site.

  4. Passport EULA and Privacy Policy by dragons_flight · · Score: 4, Informative

    For those that are interested here are links to the:

    Passport EULA

    Passport Privacy Policy

  5. Re:security and privacy a difficult issue by howardjeremy · · Score: 3, Informative

    When the site wants to get some data from the user, say the user's age or address, they don't query passport directly. What they do is redirect back to passport, passport generates a form with the values prefilled in. Then the user can edit those values, or just click submit, and the values are posted back to the original site.

    Or you can just use the very cool (and free) RoboForm which sits in your toolbar and auto-fills forms that pop up in your browser (there are other form-fillers around but I haven't tried them).

    This kind of software doesn't require you to submit your personal information to a centralised authority (it's stored on your PC), and you can keep multiple 'identities' and choose which to use to fill in a form. I keep 'complete', 'partial', and 'anonymous' identities which I use to decide how much (and how truthful) information I want to give to a site.

  6. I will NEVER trust passport... by Kazymyr · · Score: 3, Informative

    ...unless they specifically address the bullying issues they have towards the consumer.

    I used to have a Hotmail account, for several years (even before they were bought by MS). I was only logging in every 3-4 months, mostly to keep it active, because it wasn't my main email address.

    One day I found in it a message informing me that I had been automatically issued a passport. Without my consent. They had just taken the info in my hotmail registration and created a passport for me, without asking my permission. I got very angry, and asked that the "passport" be removed, because I didn't want it. The reply was "it cannot be removed, once you got one, you're stuck with it forever". It seems that, by logging into my hotmail account after they had sent me the info, I had "automatically given them permission to activate the passport". But nowhere on the login page was there any information about this!

    I eventually let the hotmail account expire, but AFAIK the passport account they crammed down my throat is still there. There is no option to delete it.

    --
    I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
  7. Misconstruing Passport by sheldon · · Score: 5, Informative

    When you sign-in to Passport there are two checkboxes...

    One says 'Sign me on Automatically'. If you check this, a cookie is stored that remembers to authenticate you from then on.

    If you don't check this box(which is the default condition), then a cookie is created and stored which remembers your username. But the authentication information is stored as a session cookie which disappears when you close the browser.

    There is a second checkbox. It says 'I'm using a public computer'. This stores a session cookie on your machine for both the username and authentication.

    Once you have closed the browser, the session cookie is gone and you no longer authenticate automatically, nor is your username auto entered for you.

    So while I understand your concern, Microsoft has provided two checkboxes which alleviate this concern. Neither checkbox is on by default which means the default behavior is to remember your username only.

    If you have a better solution to this problem, I'm sure we'd all appreciate hearing about it.

    BTW, the paper you linked to has much better explanations of problems Passport might have then what you wrote about. Man in the middle type attacks that involve redirecting DNS, etc.