Students at the Ruhr University of Bochum, Germany, say they have found a way to steal security tokens in Microsoft's new CardSpace authentication framework. Attackers can apparently get access to protected, encrypted user data such as passwords, credit card numbers, and delivery addresses when they are transmitted. CardSpace (formerly InfoCard) is the successor to Passport. In both architectures, users' personal data are stored locally on the user's system. Depending on the web site, users can decide which data they want to transmit. CardSpace is designed to make classic passwords a thing of the past, by replacing them with digital certificates that may be self-signed or signed by an authoritative CA such as Verisign.
Link: heise.de
I thought the second paragraph was more important:
Couldn't you use this to swipe just about any authentication token, not just CardSpace?
1 it's been discovered before it becomes widely used by poeple.
2 Its better for a student to discover it and pulicize it than some underground hacker who will never release the info
Then why is Microsoft named in the title of this news post? It'll only make people think bad about them!
Then why is Microsoft named in the title of this news post? It'll only make people think bad about them!
It's called news bias... it's like how when people talk about MP3 players they always say Apple iPod...
Really it's just another method of having your personal computer be able to automatically sign into M$ certified websites or others who share the same method. Has to run in the background tho' (infocard.exe, if I remember right).
Check your browser. I think it's broken. It puts end-of-string sentinel ending your comment abruptly.
But Seriously:
If I'm set up for multiple sign-in authentications (one for each site I may visit) then if someone compromises the security for any one of those, the others are not necessarily affected. If I set up Cardspace for multiple websites and then some hacker compromises my Cardspace, all the websites I have Cardspace set up for are likely compromised.
Imagine you have a house with 10 external entrances & exits (doors). Would you rather have 10 guards so you can have one guarding one door each, or would you rather have one large (and may I say, bloated) Microsoft-branded guard who supposedly can guard all ten doors. If we follow on from that analogy, it seems Micrsoft's door guard, mister Cardspace, has been kicked in the nuts by some German kids and left writhing in agony on the floor while the house he was supposed to be guarding gets robbed.
But Seriously:
If I'm set up for multiple sign-in authentications (one for each site I may visit) then if someone compromises the security for any one of those, the others are not necessarily affected. If I set up Cardspace for multiple websites and then some hacker compromises my Cardspace, all the websites I have Cardspace set up for are likely compromised.
Imagine you have a house with 10 external entrances & exits (doors). Would you rather have 10 guards so you can have one guarding one door each, or would you rather have one large (and may I say, bloated) Microsoft-branded guard who supposedly can guard all ten doors. If we follow on from that analogy, it seems Micrsoft's door guard, mister Cardspace, has been kicked in the nuts by some German kids and left writhing in agony on the floor while the house he was supposed to be guarding gets robbed.
Lol bloated. Whats with microsoft haters saying everything is bloated.
An app thats like 5mb big is now bloated
And btw, this can be used for any authentication tokens. Not just cardspace. Getting past the encryption on them is a different thing.
Learn 2 read and use your common sense.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.