[Am-info] From: Security Alert Consensus #122
Geoffrey
esoteric@denali.atlnet.com
Thu, 08 Nov 2001 16:22:35 -0500
"Fred A. Miller" wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Some interesting accusations were made this week about the security
> of Microsoft's Passport technology. A researcher found that Passport's
> caching of credentials can be preyed upon; a few cross-site scripting
> attacks also provided avenues of exploitation. Microsoft, fortunately,
> has fixed or addressed many of the problems, but it does raise an
> interesting question: Given Microsoft's track record of security
> exposures (100 published bulletins in 2000 and 54 bulletins to date
> for 2001), do you trust Passport to be a central database of user
> information?
When it comes to this information, I don't trust Microsoft to protect
it, and I don't trust them with it.
--
Until later: Geoffrey esoteric@denali.atlnet.com
"...the system (Microsoft passport) carries significant risks to users
that
are not made adequately clear in the technical documentation available."
- David P. Kormann and Aviel D. Rubin, AT&T Labs - Research
- http://www.avirubin.com/passport