Why not to use Microsoft Passport

Posted 2 Nov 2001 at 22:27 UTC by ask Share This

Marc Slemko has written an excellent article about some of the weaknesses in Microsoft Passport.

"The current implementation of Passport, ignoring the new Windows XP specific functionality for the moment, is wholly inadequate to this task. It does not allow for sufficient control over the use of authentication information by a user and, where current technologies fall short of the ideal, it trades off security in favor of convenience in a way that leaves users vulnerable."

"Windows XP attempts to integrate Passport accounts more transparently with a user's XP login account. This integration, while offering the potential for decreased security risks if implemented properly, appears to, in it's current implementation, possibly increases the risk by allowing the user to be automatically authenticated in situations where they did not expect to be or explicitly allow it. Further investigation is necessary to fully understand the security implications of this poorly documented (and apparently still changing on the Passport servers) integration.

The risk to users today is mitigated substantially by the fact that Passport use is not all that widespread for anything more important than Hotmail accounts, and customizations on other Microsoft sites. The security implications, however, of having this Passport be a single identity for a user, in widespread use across the Internet, are dire.

It is very clear that either Microsoft does no have sufficient resources in place to properly review the security of their services and software (it only took me about 30 minutes to come up with the basics of the example exploit, why didn't they notice the same issues?) or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security. Either way, extreme caution is necessary when considering the adoption of Passport technologies and, by implication, any technologies built on top of Passport."

Read his full article at http://alive.znep.com/~marcs/passport.

Wired made a story on this article too.

microsoft strategy, posted 3 Nov 2001 at 15:33 UTC by lkcl » (Master)

microsoft are not interested in security [okay: only if it satisfies the following statements]. they are interested in getting to market and _keeping_ their market. they are also interested in keeping support calls to an absolute minimum. they are also interested in backwards compatibility.

microsoft is interested in _money_ [gosh, is that a crime in business?]

once you realise these things, the resultant outcome[s] become very obvious and understandable. poor software. multiple updates / upgrades / hotfixes. lack of security audits by professionals. the whole works...

no surprise, posted 4 Nov 2001 at 22:47 UTC by mobius » (Master)

Security and convenience are mutually exclusive. The more security you have, the less convenient it is. Right now, MS has everything set up to be as convenient as possible. The only real way to fix these holes is to reduce convenience, and that's bad for business. Instead, MS will continue producing half-asses patches as needed.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page