Forum OpenACS Q&A: MS Passport Security Flaw Article

Collapse
1: MS Passport Security Flaw Article
Posted by Tom Jackson on 11/03/01 09:29 AM

Here is the original author's article discussing a newly discovered massive security flaw in Microsoft's Passport service. http://alive.znep.com/~marcs/passport/

It doesn't appear that there is any more security in the protocol than in http basic authentication, even without the bugs discussed.

Collapse
2: Response to MS Passport Security Flaw Article (response to 1)
Posted by Don Baccus on 11/03/01 03:36 PM
Yes, I read this today along with the news that the Feds have settled their anti-trust suit, agreeing to a clause that allows MicroSoft to keep any protocol involving "security" secret.  This will allow them to not only plunge forward with Passport and other .NET pieces without being required to publish protocol details but to continue their "embrace and extend" efforts to replace open, standardized protocols.
<p>
So...
<p>
Does Bill Gates keep his credit card information in Passport?
<p>If so, the author of this exploit is far more scrupulous than me :)
Collapse
3: Response to MS Passport Security Flaw Article (response to 1)
Posted by G. Armour Van Horn on 11/04/01 12:14 AM
I don't think I'll be able to pull it off, but my mantra recently seems to be "Microsoft Free in Twenty-aught-three."

And not a week goes by that I don't have more reason to try for it.

    Van

Collapse
4: Response to MS Passport Security Flaw Article (response to 1)
Posted by Daryl Biberdorf on 11/05/01 05:01 PM
Greenspun's comments about Microsoft's refusal to learn from others' mistakes rings painfully true in this article. Just as it took Unix and its key programs years to go from weak, convenience-oriented security to something trustworthy, Microsoft seems committed to pursuing the same path. I've refused to use Passport knowing the security track record of the company behind it, but this article makes all my concerns concrete. It will be a terribly funny day (in a tragic, comeuppance sort of way) when "production" Passport is cracked in a way that leads to the abuse of thousands of credit cards. And we all know that that day will come.