[Am-info] From: Security Alert Consensus #122
Fred A. Miller
fm@cupserv.org
Thu, 8 Nov 2001 16:18:34 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Some interesting accusations were made this week about the security
of Microsoft's Passport technology. A researcher found that Passport's
caching of credentials can be preyed upon; a few cross-site scripting
attacks also provided avenues of exploitation. Microsoft, fortunately,
has fixed or addressed many of the problems, but it does raise an
interesting question: Given Microsoft's track record of security
exposures (100 published bulletins in 2000 and 54 bulletins to date
for 2001), do you trust Passport to be a central database of user
information?
http://alive.znep.com/~marcs/passport/
- --
- ----/ / _ Fred A. Miller
- ---/ / (_)__ __ ____ __ Systems Administrator
- --/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services
- -/____/_/_//_/\_,_/ /_/\_\ fm@cupserv.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE76vaqIhTtc6nTZIIRAkG/AKCNBnoXutJ51G+XcC4r5hxVh4GCrACfd8bT
cquIashgoH8xohbULMk3xNM=
=ADK2
-----END PGP SIGNATURE-----