Langa Letter: The End Of Anonymous Surfing? - InformationWeek
Software // Enterprise Applications
10:18 AM
Fred Langa
Fred Langa
Threat Intelligence Overload?
Aug 23, 2017
A wide range of threat intelligence feeds and services have cropped up keep IT organizations up to ...Read More>>

Langa Letter: The End Of Anonymous Surfing?

Microsoft's Passport and its competitors are making it harder than ever for computer users to keep a low profile, Fred Langa says.

But wait, you might say, doesn't the use of the Passport centralized service imply that there's a centralized, consistent privacy policy across all the Passport sites?

In a word, no. In fact, Microsoft's Passport FAQ clearly states that, although it expects its member sites to behave properly:

...the privacy practices of Passport participating sites will vary. Therefore you should carefully review the privacy statement for each Passport participating site you sign in to, in order to determine how each site or service will use the information it collects.

Wow! Think about what that means. Passport users are not only subject to the same site-by-site vagaries of privacy policy as any other users, but they also arrive at each site dragging Passport's persistent tracking number with them. So, ironically, logging on to a site via Passport may actually make you less secure than if you went in on your own, because with Passport, you can't be fully anonymous from session to session.

And there actually are many other ways that Passport information could be abused. One scenario is spelled out in some detail by Joel Spolsky in Does Issuing Passports Make Microsoft A Country?

If Joel's page is too informal for your tastes, try this white paper from AT&T researchers: Risks Of The Passport Single Signon Protocol, or see the additional references at the end of this article.

Crackers' Paradise?
One also can ask legitimate questions about the inherent safety of the Passport central database because Microsoft has a spotty record of managing its online services. See, for example, any number of reports about Hotmail outages, or Messenger woes cast cloud over Hailstorm. Although the Passport central site doesn't gather extremely sensitive data by default, it can do so optionally. If you also choose "make your shopping easier" with the Passport Wallet, your Passport login can be associated with your credit-card numbers and such. The potential for trouble is obvious, so the site is likely to become a prime target for crackers.

While the skills needed for a frontal assault on the full Passport database might be formidable, it probably won't be very hard at all to crack many individual accounts, because each Passport depends on each user choosing a good password.

IT administrators know how hard it is to get users to pick difficult-to-guess passwords. A good password is a mix of characters, numbers, and punctuation at least six elements in length, such that the password will not be found in any dictionary; it should not comprise easy-to-guess items such as names of children, pets, etc. Ideally, a good password is one that's as close to incomprehensibly random as possible, while still being able to be memorized without writing down.

But most users pick much simpler passwords, and that means that many Passport accounts may be trivially easy to crack. Because a single name/password can protect a user's online identification at many sites, a breach of a Passport account may have an unusually large ripple effect.

To help overcome some of this fundamental insecurity, just a few weeks ago Microsoft revealed a newer version of Passport that will eventually rely on the P3P (Platform for Privacy Preferences) open standard; but this is of little help today because the standard is still only in working draft form. (See P3P: Protector Of Consumers' Online Privacy for an early analysis.)

Thus, even if P3P eventually helps improve Passport security, it's of no use right now to the millions of people exploring XP and being enticed to sign up for the current version of Passport.

2 of 3
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll