Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Defends Passport To Privacy Group

Posted by timothy on from the just-look-at-that-shine dept.

securitas writes: "CNET reports that Microsoft is defending Passport as safe and secure in a presentation to the Center for Democracy and Technology. Other organizations such as the Electronic Privacy Information Center, Junkbusters and even the U.S. government may be lobbied by MS this week to fend off a Federal Trade Commission complaint filed by 15 consumer and privacy groups that charges unfair and deceptive practices."

3 of 250 comments (clear)

  1. Well, they *have* made concessions before by alewando · · Score: 5, Informative

    Just last month, Microsoft changed the service agreement for their passport system to require only an email address and password to sign up. Did Microsoft do this without any armtwisting? No. Did they do it, though? Yes.

    Just keep the pressure on them up. They're going to go ahead with some sort of service no matter what, but the amount of opposition they face now will determine how many of these concessions will be made "voluntarily". That way, even if the FTC doesn't come down with a favorable ruling, we won't be completely left out in the cold.

    Incidentally, msnbc also has some coverage. A disinterested and impartial news source if there ever were one... or not, as it were.

  2. Re:security and privacy a difficult issue by jonnosan · · Score: 5, Informative

    If you have a look at the passport SDK, you'll see that the affiliated sites don't have direct access to any of the user's data.

    A site that wants to use Passport for SSO generates an URL that redirects to the passport website. Then the user logs in, and passport redirects back to the original site. The original site can then access the authenticated username, but that's it.

    When the site wants to get some data from the user, say the user's age or address, they don't query passport directly. What they do is redirect back to passport, passport generates a form with the values prefilled in. Then the user can edit those values, or just click submit, and the values are posted back to the original site.

    So as a user you still get full control over what data a site you visit has. And you can tell a particular site info that is different to what is stored in passport. But it does save you typing in the same old boring gumpf into site after site.

  3. Misconstruing Passport by sheldon · · Score: 5, Informative

    When you sign-in to Passport there are two checkboxes...

    One says 'Sign me on Automatically'. If you check this, a cookie is stored that remembers to authenticate you from then on.

    If you don't check this box(which is the default condition), then a cookie is created and stored which remembers your username. But the authentication information is stored as a session cookie which disappears when you close the browser.

    There is a second checkbox. It says 'I'm using a public computer'. This stores a session cookie on your machine for both the username and authentication.

    Once you have closed the browser, the session cookie is gone and you no longer authenticate automatically, nor is your username auto entered for you.

    So while I understand your concern, Microsoft has provided two checkboxes which alleviate this concern. Neither checkbox is on by default which means the default behavior is to remember your username only.

    If you have a better solution to this problem, I'm sure we'd all appreciate hearing about it.

    BTW, the paper you linked to has much better explanations of problems Passport might have then what you wrote about. Man in the middle type attacks that involve redirecting DNS, etc.