Microsoft CardSpace killed before it really began?

Summary:According to Neowin, computing students at the University of Bochum, Germany, have worked out how to retrieve vital security tokens from Microsoft's CardSpace framework. CardSpace is highly tipped to be the successor to Windows Live ID (Passport) and making passwords a relic of the Cold War, using self-signed or certificate authority signed digital certificates stored on the local machine as proof of who you are.

According to Neowin, computing students at the University of Bochum, Germany, have worked out how to retrieve vital security tokens from Microsoft's CardSpace framework. CardSpace is highly tipped to be the successor to Windows Live ID (Passport) and making passwords a relic of the Cold War, using self-signed or certificate authority signed digital certificates stored on the local machine as proof of who you are.

The

cardspace.png
report states by many means of manipulating the DNS service, including anti-DNS pinning or DNS spoofing, these are all ways of taking the security tokens from a CardSpace file.

Heise Online which reported this story, almost encourage you to try this out. Considering this major security flaw has been brought to light instead of being exploited, it's fair to say they're not interested in stealing your money. It's recommended you alter your own DNS settings to protect yourself anyway, but feel free to give it a go.

Heise report:

"Microsoft has apparently already been informed of the problem and is working on a solution. In their report, the students propose improving Same Origin Policy as a security function for browsers."

Good to know really; considering this "ultra-secure" technology will one day be taking over hundreds of millions of accounts, I speak for a lot of people when I say I'd really rather I keep my password if it'll keep my details that bit more secure.

Update: British students have done it again, blowing another hole in one of Microsoft's attempt at security; this time they've managed to fool the CAPTCHA application applied to many of the Live services like Hotmail and Live ID. Dancho Danchev covers the story in the Zero Day blog.

Topics: Security, Browser, Microsoft, Networking

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.