Slashdot Mirror
Microsoft Opens Up Windows Live ID
randommsdev writes "Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others — tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation."
Put your comments below this one.
urls gone wlid!
sigfault. core dumped.
Until the first site with a fake passport login form shows up? I mean before semi-intelligent people weren't going to enter their passport ID into non-MS websites, but now... I bet a lot more corporate keys get exposed this way as passport is the keys to your Enterprise Licensing kingdom.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
What keeps anyone from creating a site (and/or spamming for it), saying it uses Windows Live authentication, then just farming a giant pile of logins they can sell or use for evil things?
They changed the name
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Great... it's copyrighted and provides no license.
Solution looking for a problem.
With so many security and authentication issues inherent to MS products, this seems another case of marketing pushing faster/harder than the development teams can keep up with.
If it backfires for them, look for flying chairs...*ducks*.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Like the diebold voting booths? ;)
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Go to Hotmail. You will see that Hotmail now requires you to login with Windows Live ID. Now, take a look at this page. It's a login page. They want you to enter your ID and your password. This is what gives you access to all the different services that are currently integrated with Windows Live ID, and will be integrated in the future. It's basically your "master password". Thing I'm trying to stress here: you shouldn't just give this out to anyone who asks. Ok, you get the idea.
s nv=10&c...." etc. Great, login.live.com, that's what I expect. Cool. Ok, so what's the second thing I should check? Anyone? Come on, it's web password security 101 here people. What do I need to check before I enter a login/password on a web site? That's right.. I need to check I'm on an SSL secured page. The url should start with what? https right? And I should look for the little lock in my browser window.. and if I'm feeling especially paranoid I should check the security certificate to see whether or not it is valid, not expired, and for the site that I am expecting.
So, first check you should do whenever you're logging into a page is what? That's right, check the url. "http://login.live.com/login.srf?wa=wsignin1.0&rp
This page has none of those things. Well done Microsoft.
Oh, but it gets better. There's this link that says "Use enhanced security". I would have thought that "enhanced" security was a sensible default, silly me. It's not underlined, so you don't know it is a link until you hover your mouse over it, but it will take you to a https:/// page. Of course, the certificate it offers you is not for login.live.com, it's for graphics.hotmail.com. If you accept this certificate then you are basically saying that you're ok with trusting this data that didn't come from graphics.hotmail.com as if it did come from graphics.hotmail.com. Just for the hell of it, let's fire up this "enhanced security" page in IE and see what happens. Oh.. I see. We get no warnings. In fact, if we double click on the padlock we see that the certificate now IS for live.login.com. Hmm, what's going on here. Ahh, I see, half the content on this page didn't come from live.login.com, it came from graphics.hotmail.com.. so this isn't a secure site *at all*, it's a mixed domain site and IE's pitiful support for multiple certificates on a single page is happy to just ignore this (and doesn't even warn you).
XSS anyone?
How we know is more important than what we know.
before semi-intelligent people weren't going to enter their passport ID into non-MS websites, but now... I bet a lot more corporate keys get exposed this way as passport is the keys to your Enterprise Licensing kingdom.
Hmmm, massive FUD has much inertia. First, intelligent people have known for a long time not to trust M$ with anything. This has harmed the online economy, but that's a different story. If the 25% prevalence of keyloggers is not enough, a rogue site has been able to harvest Passport IDs forever, because IE can be resized, reshaped and made to look like whatever the rogue site wants it to. Firefox puts a stop to menu hiding and resizes, but Mozilla.org can't save you from a key logger.
Friends don't help friends install M$ junk.
There's no possible way anything could go wrong with this plan.
What if I do the same thing, and I do get different results?
The ToU is on the downloads page: https://msm.live.com/app/tou.aspx
(Please browse at -1 to read this comment.)
Is it just me, or does placing this article directly above the Diebold rebranding article make you think of a theme common to both? Company loses credibility. Keeps trying to regain it, but still doesn't grok that you can't just make it *look* like you've changed your spots. You actually have to change your behavior, and regaining credibility takes a lot longer than destroying it does.
Read the EFF's Fair Use FAQ
Does this mean they've given up on CardSpace, which is built into Vista right now? I thought it was a much better solution to the need for single sign-on. Check out thechannel9 video.
"God deliver us from our friends, we can handle the enemy." -Patton
I thought Passport was outted years ago as being fundamentally broken. Why would I want to implement it on my site? Did they fix it? If not, why are they still using it at all?
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
I'd prefer to see the rise of OpenID. Now if Microsoft gave you an OpenID authentication point with your LiveID (preferably with something simple, like adding the OpenID <link> tags to login.live.com or even just live.com), that would be a feature worth using and supporting. And wouldn't require changing the sites that already support OpenID, including, AFAIK, the SixApart family of blogs.
With modern technology, diverse applications are a good thing (healthier market and better apps from consumer selection). Information, however, is more useful the more widely it can be read and used. Unless you are specifically trying to hide something.
Unfortunately, like Live ID, there seems to be more OpenID providers than servers that use them for authentication.
Part of the registration process was that I was required to get a Passport ID. I felt like I'd just sold my soul to The Devil just to get a paycheck.
Request your free CD of my piano music.
I use 3 passwords for all sites I access mapping to 3 levels of trust. I try to use the same user id when possible :
Level 1 : risky
Level 2 : less risky
Level 3 : almost trustable
For sites that I really trust (banking, etc...) I use dedicated passwords. I, also, can forecast problems with a single sign-on scheme that would be more or less like giving away your social security number if hacked.
I have been working on this problematic before for big organizations and one conclusion we came up with was that we needed to re-use the old assembly language "indirection" principle, called pointers in higher level languages.
So basically, one has to be able to authenticate with multiples set of usernames/passwords combinations. Once the unique user is authenticated, the central authentication authority limits its role to just that, authenticating the user.
All authorization is managed by the local system that interacts with the user.
Do a search for MBUN on Google. In Canada, a user can have multiple MBUNs to deal with the government. This solution was implemented to cope with privacy concerns and still allow the citizen to deal with the government with the same level of privacy that was previously achieved with paper forms. Basically, what has been done is creating a mapping between the MBUN and the real userid and the choice has been given the citizen to have as many MBUN as he wishes to deal with the government.
Serious concerns should apply to too simplistic solutions ;-)
Now for all /. MS bashers to enjoy : Although a qualified partner in the project, none of MS products where used to implement the solution. Given the money and the visibility at stakes, this caused a commotion in Canada with MS canadian VP putting pressure on everybody to reverse the decision.
Hey Sam, your products are just too simplistic and too proprietary. Phone us next year please ;-) That was really funny, the guy just couldn't understand that Macdonald's like marketing techniques did not work in this case. I mean, they even flew us for a week to Redmond at the campus to try to brainwash us, but still no go for MS.
-ls
Everything I write is lies, read between the lines.
and how this compare to OpenID ? (See also OpenID Enabled for those interested in using it)
Misleading titles? Inflammatory blurbs? Keep in mind that Slashdot is a tabloid.
What makes LiveID different from Passport or other auth systems? I'd like a way to sign in to multiple sites without having to remember and type a username and login for each one, but so far every solution for the problem has been widely rejected. What are the limitations with these single sign-ons that cause sites to prefer rolling their own logins?
Microsoft is a cancer...and FOSS is the cure.
Because MSN Messenger comes with most desktop computers, masses of people use the MSN thus making its closed system attractive for other people to join, new computers usually come with an "MSN Browser" on the desktop, most desktops come with Hotmail and other MSN bookmarks filling their bundled browser, MSN is often the homepage of these bundled browsers, the bundled media player has MSN built into it, etc. People might not like it, but it is forced down their throats anyway, and once that's been done most people won't go through the hasle of using an alternative.
According to wikinews, Richard Stallman is missing after the earthquake in Peru, anyone know anything ?
Supported Operating Systems: Linux; Windows Vista; Windows XP
How's the wheather in hell these days?
http://recordmydesktop.iovar.org
Looks pretty.
Just disrupt the deflector shield with a tachyon burst.
Well, it will inherit Microsoft's stellar security and perfect programming. Besides which, its a closed network unlike OpenID so it will be about as popular as Google's Account Authentication which does the same thing but with Google Accounts. Even OpenID isn't that widely used, and it's an open system.
Putting the discussion on whether this is a good idea or not aside (you guys have already discussed that quite a bit), it's interesting to see how they are going about deploying this. I'm sure if they were doing this a few years back they would have provided sample code for MS sites and left the others to come up with their own implementations. It's interesting to see that more and more they are leaving their MS lock in tactics behind.
Ryans Tutorials - A collection of technology tutorials.
The worst possible things that could happen for widespread adoption of a universal login system are:
1. Competition between different standards.
2. Companies with profit motives pushing their own solutions.
It's like the whole HD-DVD vs BluRay issue. End users don't want to deal with choosing one or the other. It would be better for everyone if we could all just come together around one completely open standard.
The standard with the most momentum seems to be OpenID. I hope that a few years from now, I'll be using it for most of my web logins.
Given the nature of the Beast it would not extravagant not to make assumptions other than expecting worst case..
Insert
Why on earth would I want to, of all things, authenticate using a 3rd party propriety system from a vendor with proven business practices like MS? That seems like the very last thing I want to do. And I haven't even mentioned the outages, so your uptime depends on MS. What are you gonna do when that happens, call them? I have a much better idea, Bill. Why don't you use my unified login system. I've made a version in Visual Basic especially for you.
I'm having trouble believing you got so many responses defending single-sign-on.
The safest way to do single-sign-on is like Apple does it. (And I think there is a similar GNU tool with gpg?) You have a password that unlocks your keychain, and the keychain software negotiates with the sites you visit. Theoretically, the keychain software doesn't miss red flags, such as sites requesting keys/passwords that don't belong to them.
The problem with keychains is that they fall when your login account falls. Well, the tokens may be stored encrypted, and the user may be smart enough to have a separate password on the keychain, but all it takes is a well-hidden keylogger. I'm pretty sure no one is handling the issues that allow hidden keyloggers to be left lying around as long as we are browsing the web with the same effective user that we logged in as.
Single-sign-on is just plain wrong for any information that could hurt you if the wrong people get it.
Even a separate hardware token keychain which connects "directly" to the internet (instead of through your general-purpose PC) has to somehow deal with the man-in-the-middle. General purpose keys are a bad idea.
Apple's keychain is managed on your local machine, as opposed to being managed by a large corporation that wants to sell people on the idea that they can handle all the "hard" problems to day-to-day living.
Was Gore party to Clinton and Gates suggestion that the internet could lead to "frictionless money" (or whatever they called it)?
No, your e-mail account_s_ (plural) are not single points of attack, unless you use _all_ your e-mail accounts to sign up for everything you sign up for.
Your idea that your own server should be manager your keys is as close as you have come to a reasonable solution, but it is still subject to all sorts of man-in-the-middle.
Don't understand how your final comment about controlling your password for single-sign-on at all. Does some would-be single-sign-on vendor want to take even the final password away? Or do you misunderstand the concept of keys instead of passwords? Or what?
what if someone you trust happens to accidentally (virus in a critical MSWindows server or something) reveal your high-trust password? And some guy who sees it decides to add your password to his brute-force dictionary?
Reduce, reuse, cycle
The solution to your headache -- a little more of the hair of the dog that bit you.
General purpose security? That's an oxymoron, mathematically speaking.
What we need to be doing is moving to dedicated browsers for financial and other high-security sites. But, no, Microsoft, in their wisdom, decides to tape single-sign-on on top of M$IE.
(Does anyone besides me read "MS Internet Explorer" as "Mi$iEry"?)
Dedicated browsers are only a stop-gap, but they could at least help getting the general crowds moving away from M$IE.
Truth be told, I missed that you said openid instead of that thing MS is offering.
/. encourages you to think twice about any solution that uses a general purpose browser, and encourages you to keep your financial stuff off-line as much as you can. (Good luck with that, these days, 'though.)
However, concerning the e-mail being a single point of failure, that's your fault.
I don't do that. I have at least three e-mail accounts, and I spread registrations around as appropriate. ssl login helps tighten up at least one of my e-mail accounts. The single point of failure is the user account I log into them all with. (Not on M$Windows.) (There's a reason I'm being vague on numbers.)
I haven't looked at openid, but if it allows you to trust someone else with your keys, it's just plain missing on the most important concept. Your own server is the correct direction to be headed, and even that has its limits. Yes, I'm talking about man-in-the-middle, among other things, if, for instance, you plan on accessing your keychain equivalent on it from outside your local LAN.
I have to go to work in two hours, and I have to exercise first, so I don't have time to explain, but you can consider that some unknown interlocuter on
The 'one password for everything' concept is fundamentally broken. It is like having one key for everything you own- your house, your car. During a vacation, I *want* to be able to give the housekeeper access to my house, but I also want to *prevent* her from going for a joyride in my brand new expensive car. The fact that I have neither a housekeeper nor a brand new expensive car is a minor detail.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
It is just sad to read the Python implementation of this functionality. Almost nothing is written according to the Python Style Guide. Weird "__foo"-variables can be found, then it's not Python2.3 compliant because of ONE silly "staticmethod", many "getters" and "setters" which are just useless in this script. If MS wants to show their code to the scripting community, they should at least make it pretty and according to the language's coding standards. But maybe that is their understanding of "pretty". Who knows.
I think I would prefer Windows Dead.
Did ya see what I did thar?
Oh yeah I'd love to use an authentication system on multiple sites that forces me to re-enter my password in Firefox every time I visit hotmail.com!
At least with OpenID anyone can use their own server, so a phisher wouldn't know what to make the phishing page look like. They could spoof a few known providers, but the one I use (myopenid.com) has an option to not let you log in from a different site. It gives you a page telling you to manually open a new window and log into that and then click the link to continue. That takes care of phishing...
Send email from the afterlife! Write your e-will at Dead Man's Switch.
System Requirements
How far have we come?
Open Source Java Web Forum with LDAP authentication
This is not really news, passport used to be open a couple of years ago when the bubble burst. No one really used it much so they closed it again. The idéa is not too bad but I don't see this happen any time soon. They probably will close this too when the next bubble burst.
It's a cookbook!
New market: either proprietary web-based services (quasi-thin client) or a standards-based, PC-based market. Microsoft wants the latter, Google wants the former. Consequently, Microsoft is opening up to open source, as it will help it gain its goals.
The important thing to remember about corporations is that they're not evil. They're realpolitik. Their only goal is to make their stock price rise, so their stockholders go home happy. Stockholders are people like you and me who've bought Microsoft stock and want to make money off of it.
F/OSS is people power, which should come out and admit that it is opposed to this system. It's not anti-capitalism, but it is anti-capitalism, in its own way. I don't think it means bad by this. I compare it more to the volunteers who spend more time than most people do at day jobs to help their communities. But even that is insane from a capitalist perspective, since they could be getting $$$ for that time.
technical writing / development
Seriously. What reason could anyone possibly want to use WLID for when OpenID already exists?
How is this different from OpenID, other than that MS displays a massive not-invented-here syndrome?
http://outcampaign.org/
The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.
Redmond Rule #92
"Whenever a thing coming out of our premises has caused a certain degree of skepticism, even mistrust, we'll just call it by another name and be done with it, for some time."
Not so fast, Microsoft. Passport, passport, passport.
There are people who will remember.
I don't know why we need a central authentication system for websites. It's just a bad idea.
Even worse when a company like MS is pushing it. I think it's a trap.
They want people to develop opensource apps, and popular websites, like myspace, around this 3rd party auth system.
Before you know it, MS will be sending out their goons to shake down all of these developers who are using it. Either pay up for a license, or rewrite you whole auth backend.
Shameless plug alert: Game server control panel
All your users are belong to us!
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
OpenID proxy for Google, MSN, Hotmail, etc.
http://openid.nabber.org/
I've never understood why more people don't complain about this discrepancy.
The HTML containing a form and the URL the form is submitted to, can have completely different levels of security. The "yellow padlock" means the form itself was served with https, when whats important is that the form data is going to be submitted via https. Nothing to do with live or microsoft, why is this considered acceptable in general?
You should have the housekeeper going with you (that is, assuming she's hot).
Quack, quack.
Way to get yourself modded up interesting, when Python 2.3 is basically obsolete and __foo variables are standard fare in the community.
It has long been my suspicion that a certain alleged "person" whose initials are W!ll!am G@tes III was in reality a plastic mask being worn by the devil. And that using this assumed persona, the evil one was employing the resources of sMegmasoft to create the infrastructure to be used by the "beast" to rule the world.
Y'know - as in Revelations chapter 13-
"16He also forced everyone, small and great, rich and poor, free and slave, to receive a mark on his right hand or on his forehead, 17so that no one could buy or sell unless he had the mark, which is the name of the beast or the number of his name.
18This calls for wisdom. If anyone has insight, let him calculate the number of the beast, for it is man's number. His number is 666."
Even for those not given to seeing the boogey man behind every curtain, the prospect of any significant portion of the economy becoming dependent upon one authentication method controlled by a company of dubious reputation should raise the hackles on the back of one's neck, eh?
Agreed.
Do you have any suggestions for how to get going with respect to the second part of this?
Cool I can't wait till I can sign into Slashdot hosted on SuSE with my Windows LiveID! Seriously though... When .NET doesn't work, go open source and compete? Just another way to prolong a failing product.
I was told I could get better 'placement' if I replied here.
I admit it was 'Anonymous Coward' posting - (Alas, I am not sure who he is) but- Is this true?
Thank you, Shushdot-
I remain, your most truthfully affectionate soviet servant.
.
- aqk
F U