Passport to Nowhere 361
prostoalex writes "CNET News.com.com talks about less than glamorous acceptance of Microsoft's single sign-on technology, .NET Passport. Being launched as a single sign-on service for online businesses and competing heavily with open Liberty Alliance project, which so far has produced just a large amount of PDF files, .NET Passport is considered a failure (although not by Microsoft). Turns out, high licensing fees, lack of simple implementation, security leaks and server downtime, were not acceptable to most of potential clients out there."
Favorite quote from TFA (Score:5, Insightful)
I think that more or less hits the nail on the head. This is aside from the downtime issue, which is embarassing, and privacy issues, which are disturbing. On the privacy/downtime note, the Liberty Alliance may be vapor currently, but the idea of a "federated" system sounds much better to me. It's not a problem I have with Microsoft, rather it's a problem I have with giving all of my personal information to a single organization to put into a central respository.
No sir, that's bad sauce.
Personally.. (Score:5, Insightful)
"Competing Heavily"? (Score:5, Insightful)
I mean, doesn't "competing heavily" imply that there's, well, an active competition in the first place?
Problem that doesn't exist big time... (Score:4, Insightful)
No thanks (Score:4, Insightful)
Failure. (Score:2, Insightful)
Re:"Competing Heavily"? (Score:1, Insightful)
Concept Good, at first. (Score:5, Insightful)
But in reality, there isn't anyone who is secure enough, trustworthy enough, powerful enough and smart enough to pull off a system that would work and would be trusted.
You need to have the strength and power to be able to build such a system, and with those, trust invariably goes out of the window.
So for now I'll keep all my passwords in my brain, and pay the price of my mistrust.
Jolyon
Perhaps entering passwords and form fields... (Score:3, Insightful)
Re:Only used in hotmail (Score:3, Insightful)
Ebay has it where you can use it for sign-in (though I don't), and I have seen it on other sites for registration. I had to get a Passport for work, and I tried it at some of those places. One site I signed-in with Passport, and it still wanted me to fill out all of the registration information - not verify what was there, but actually fill it all in again.
I guess it made me feel good to know they didn't just pass over my information, but made me immediately wonder what it was useful for.
This is not just a passport issue (Score:2, Insightful)
My $0.02 (Score:2, Insightful)
Fast forward almost three decades and now we should keep desigining it to avoid tactical commercial strikes.
If everything, like commercial web security, was placed in the hands on one trusted authority, some problems would be solved. (I for one welcome single sign-on to all my messageboards and other non-sensitive websites regardless of their affiliation) But build that authority on single corporate entity and the whole mess comes tumbling down once that solitary company folds, runs out of funds or cuts the project. Not to mention that they then have the power to determine limits of use to suit their own agenda.
MS Passport is one such technology that attempted to carve a market niche contrary to the spirit of the medium it was intended to support. The internet is not monolithic and it's use and enrichment should follow.
</soapbox>
Re:Favorite quote from TFA (Score:5, Insightful)
It 's a lot like (Score:2, Insightful)
Re:Favorite quote from TFA (Score:2, Insightful)
So far I've used the Passport on two sites, mcafees online antivirus subscription site and radioshack.ca whenever I order something
Re:No thanks (Score:5, Insightful)
The entire concept is flawed from the get-go.
If I wanted my passwords stored on a computer, then I might as well do away with them completely.
But assuming I did want to to store my passwords on a computer, I'd want them on my computer.
And if for some reason, I wanted to store them with a third party, I wouldn't want the storage to be a single sourced service.
And if was willing to accept a single sourced service, I still wouldn't want that source to be Microsoft.
And assuming you get past all of the above, you still need to convince the vendor that it's good for them too - and you'll need to convince a lot of them to make it worth while.
-- this is not a
Anyone uses mozilla password thingie? (Score:2, Insightful)
Even IE can do it i think..... so, i think the single sign on in passport is really a fucking hoax designed to lock linux and OSS out of large datacenters.
Re:2 Things (Score:4, Insightful)
Re:Generic description (Score:5, Insightful)
Personally, I'd say the posting of that story should stand as proof that Slashdot isn't so biased as you seem to indicate. Moreover, whenever good news for Microsoft is posted here, it's generally studied with great detail and flaws are exposed in the methodology. For example, in the story you mention, they ignored worms, viruses, trojans, etc, because they didn't involve a person specifically targetting a specific windows machine for an intrusion. I remember thinking that the only valuable thing to come of that study was that Linux/Unix/whatever required actual human intervention to break into it, while Microsoft wasn't worth the bother when a thousand automated tools do it for you.
-N
Re:Problem that doesn't exist big time... (Score:5, Insightful)
The most recent Cryptogram [schneier.com] has a highly relevant comment on this issue:
Crap can flow uphill (Score:5, Insightful)
Company A holds your credit card information and controls the sign up system.
Company B You make purchases through there system, credit card details are pulled from company A, your happy
Slap on 100 Company B's each with the ability to pull your credit card data so you can make purchases.
You now have 100 new possible locations for a hacker to crack, giving them access to a massive database of credit card data.
A chain is only as strong as its weakest link. The more merchants you add to this style system, the better change your chain will break one day.
Re:Favorite quote from TFA (Score:3, Insightful)
My browser, just like all the other browsers out there, has a nifty little feature which remembers my logins.
If mozilla ever gets that roaming profile idea, then passport is completely useless.
Just how many Google logons do I need? (Score:4, Insightful)
- AdWords
- AdSense
- Google API
- SiteSearch / Websearch
- Blogger
They just keep adding new services, but there's no sign of any unity coming...
Re:Generic description (Score:2, Insightful)
Re:Favorite quote from TFA (Score:4, Insightful)
Multiple logins aren't better either. Given the sheer quantity of internet forums, a user will eventaully give up on creating new username/password combinations that they will simply recycle them (a big security risk right there.)
Re:Favorite quote from TFA (Score:5, Insightful)
The problem of single sign on (SSO) does exist, particularly in the corporate world. Vendors implimenting Web Portals (MS SharePoint [microsoft.com], Sun Java System Portal Server [sun.com], BEA WebLogic Portal [bea.com], Vignette Portal [vignette.com], etc...) have a particular interest in SSO and identity management via Identity Services to present a single interface to various systems in an enterprise.
My main problem with MS Passport is that it's Microsoft's version of a standard rather than a community standard. Applications can connect via MS's SDK [microsoft.com] rather than publishing the standard. Using Open LDAP [openldap.org], Sun's Identity Server [sun.com], etc... will generally follow open standards and have better compatibiltiy to other open source/standard applications.
Re:Hmmm (Score:3, Insightful)
I know you were joking (at least that's what the moderation indicates) but I just don't see people flocking to the stores to get the latest copy of windows. Adoption of XP has been pretty slow (even though it's the best windows yet). People sit there with spyware, worms, memory leaks, and complete shit on their computers and don't even care. It's amazing what the average computer user will put up with.
Re:Only used in hotmail (Score:3, Insightful)
Re:Favorite quote from TFA (Score:4, Insightful)
American Express, AOL Time Warner, Bell Canada, Citigroup, France Telecom, General Motors, Hewlett-Packard Company, MasterCard International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony Corporation, Sun Microsystems, United Airlines and Vodafone.
Perhaps it's just me, but it sure sounds like their marketers' wet dream.
Re:Look for the .NET Passport Sign In button (Score:2, Insightful)
Re:Favorite quote from TFA (Score:4, Insightful)
How's the weather in Redmond?
I'm sure PassPort will protect you from spyware, such as keystroke loggers, on those public terminals, right? And I'm sure that giving MSFT control over my personal authentication tokens is really in my best interest, never mind passport's publicised security problems. Yeah, I'm the retard for not trusting it.
Re:Favorite quote from TFA (Score:1, Insightful)
History has shown us time and time again that it is very possible for even the most secure systems to be compromised, over and over again. Microsoft does not necessarily in many views have a high security track record, and there then is no way that I personally am willing to allow my personal information (including some financial information, as eBay [ebay.com] (at least at one point) is one of the companies that signed on to the .NET passport system) to be put in the hands of a private enterprise's systems, making it among other things an appealing target, paired with the fact that it's Microsoft, doubling the appeal if not more so for some.
Re:Favorite quote from TFA (Score:3, Insightful)
How is this any more or less of a security risk than having a single sign-on in the first place? ( Assuming equal security of the account storage, I guess. )
Recycling l/p pairs can lead to 1 -> Several account compromises - single signons can lead to 1 -> All.
YLFIOld News (Score:2, Insightful)
MS-Passport is inherently insecure (Score:3, Insightful)
I'd be especially wary of sites locked into ASP or .NET, not just for the inherent security problems. PayPal, for example,. is at potential risk, as it is owned by eBay. But read the changes to HotMail or other similarly MS-Passport encumbered services.
There are ways to do secure, platform independent, centralized authentication for web and other services, but MS-Passport isn't one of them. See Kerberos + LDAP instead. If you don't wish to experiment on *BSD or something else, all the major Linux distros include both clients and servers. There are even ways of scaling enourmously [dlib.org]. Universities and libraries with electronic subscriptions should be able to get the most mileage out of Kerberos.
Re:Use PGP? (Score:2, Insightful)
For regular authentication either your browser would need to repeat that process OR
That said, I see no security problem with it unless you get so tired of typing your passphrase that you change it to "asdf".