Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

The “successful” attack on Cardspace

The “successful” attack on Cardspace

  • Comments 4
  • Likes

I guess you read it as it was pretty wide-spread in the press in the last few days: On the Insecurity of Microsoft's Identity Metasystem CardSpace.

Well, is there any official Microsoft reaction to it? No, not yet and if you look a little bit more in depth into it, I doubt that there will be. Why? Because the whole setup is ridiculous – at least in my opinion. To cut it short: If you ignore all the warnings of the OS and pull down all the protection shields we built into Windows Vista, then it is possible to attack Cardspace. This is true. Is it making me nervous? Not really.

There are mainly two things that you have to do to make the attack successful before you can steal the Cardspace token: Spoof DNS and "compromise" the Root Cetificate Store. Hmm, we all know that attacking a DNS could be possible (even though they do not include it into their presentation) you need the help of the user as well in order to get a certificate in the Trusted Root store or trick a Certificate Provider into issuing a cert to you for a website you do not own. They failed to show in their "proof of concept" how they bring a root cert into the store without having serious support from the user.

Is this a Cardspace vulnerability? I let you decide it.

Kim Cameron posted twice now on this claimed vulnerability:

You know that we take vulnerabilities in our software serious. But what these students have done publically now is – with all due respect for their work – irresponsible. It might be cool for them to blame Microsoft and show vulnerabilities in our software – but if you do it, please make sure that you at least make the bar of a vulnerability without needing the in-depth help of the user.

Roger

Comments
  • Roger, reversing your statements in the conclusion leads to the following natural question: Is the requirement on "the in-depth help of the user" to keep Microsoft's Windows Vista secure a sign of higher responsibility?

    Relying on user's ability to protect own system has never been a serious argument in favor of a secure software. Moreover, it is rather the security unawareness of naive users that caused many successful attacks in the past.

    Although attacks against DNS and Trusted Root are needed to breach the security of CardSpace, they are not directly related to the security concept of CardSpace itself. Sure, Windows Vista is a complex operating system in which each security component is responsible for the prevention of particular threats. Nevertheless, we all know that "a chain is only as strong as its weakest link", and the demonstrated attack clearly shows that the component CardSpace itself is insecure. Hoping that the chain still holds, is probably not the best strategy that should be applied by Microsoft in this case.

  • Hi Mark,

    I would like to take up your first point: A multi-purpose operating system is here to help the user to do the job he wants to - wihtout knowing which applications/jobs they want to in advance.

    Therefore, the OS has to be able to do a lot of stuff and the user wants the abilitiy to do that. With this in mind, this leads us to a challenging situation: How do you want to make sure that the user is able to do what he wants without letting the bad thing happen? If you think that through, you will (at least partly) have to rely on the user - at some point in time. We definitely can improve the OS in this respect but still, the user is needed in this equation

    Roger

  • Cardspace is hard to understand (at least for me) and most examples cover only Self-Issued Cards. There are no  examples out there using Managed Cards so I built out a full end-to-end claims federation scenario involving Username/Password backed Managed Cards and the Cardspace Identity Selector.

    Let me know what you think: http://francisshanahan.com/cardspace

  • thank you

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment