What is the Information Card Foundation (ICF)? - Sound Familiar? Well, Not Exactly...
(Page 2 of 4 )
True, major player Microsoft has tried a few times to initiate (in a proprietary manner) this sort of advance into its operating systems. Even very recently, with the release of the Vista operating system, CardSpace emerged as Microsoft's latest digital ID project. Surrounded by initial Vista roll out problems, CardSpace was quickly overshadowed by growing industry disdain towards initial Vista issues. Previous to this, the Passport system from Microsoft employed many of the same concepts, only in a different manner, but with the same limited success.
As far back as 2001 Microsoft came under fire, in regard to alleged violations of Section 5 of the FTP act, privacy policy issues and firewall issues. It was charged that XP might disable programs used for security and privacy much like ZoneAlarm and Black Ice. More specifically, Microsoft ran into some problems with its Kids Passport policy that required the collection of what was said to be "more information on children than was determined necessary."
Despite perhaps being a bit before its time, Passport boasted 40 million consumers harnessing more than 400 authentications per second. Passport opponents cited multiple platform problems, strange behavior with Netscape browsers and persistent cookies without any form of authenticator.
CardSpace then, previously known as InfoCard, was the next attempt at digital ID cards from Microsoft. It was a much more hardened, "tamper resistant" mechanism designed to resist spoofing. Taking things a step further than Passport, CardSpace was designed as a piece of client software enabling users to provide digital identity to online services in a trusted, simple and secure fashion.
This client software is known as an "identity selector," allowing the user to choose what information is sent to a requesting web site, while the issuing server is known as an "identity provider," accepting identifiable information being held on the users PC, or third party identity provider. CardSpace allows users to create personal, self-issued ID cards containing 14 fields of information, such as full name, address and phone number. This addition of an "authenticator" is the cornerstone of newer ID advancement, and according to Microsoft, the new solution to protecting sensitive information.
Set to forge a new market space, picking up where Passport had left off, CardSpace most recently suffered a setback on May 30, 2008, when three researchers from the Horst Grotz Institute for IT security in Germany demonstrated how to intercept the authentication token from CardSpace. Once intercepted, they could use this token as if it were their own, gaining access to site or transmitting sensitive information.
Now that's not to say the interception wasn't tricky, as said attack revolved around sending a user to a malicious server, modifying the user's DNS settings (a hacker trick called pharming) and then directing the user to said modified server where it's possible to grab CardSpace tokens. But it still left Microsoft with egg on its face, figuratively speaking.
Next: When In Doubt, Farm It Out! >>
More Web Hosting Articles Articles
More By Brian Sutherland
/ 2 
