April 25, 2007
RunAs Radio interviews me about Cardspace
Recently I was interviewed by Richard Campbell and Greg Hughs on RunAsRadio. You might have heard of Richard... he's also the host of .Net Rocks!. Where .NET Rocks! is for developers, RunAsRadio is for IT Pros.
Anyways, if you would like to listen to the interview we did on Cardspace, you can download it here. Its about a half hour long, and is a simple introduction to the world of Cardspace, atleast for the client side perspective.
For those already versed in the subject, you will notice a few term definition problems in the interview. It went by so fast, and I didn't make it clear what I was getting at. For those that don't know, here is a primer that may help understand how I talk about digital identity:
In a couple of places I used the term "credential" where I was really talking about "claims". And in passing it may sound like I was saying its the Identity Providers (IdP) role to decide who to trust. That didn't come out right. It is up to the relying party to decide which IdP it wishes to trust. In some cases, it will trust you, because you act as the provider. How? Because when you create a a self-issued card and submit it, you are asserting you are who you say you are. It won't be as trusted as much as say... a government IdP. But you get the point. I hope Kim doesn't think about throwing a brick at my head if he hears the interview :)
Anyways, fun interview. Richard and Greg have asked me to come back and do another one where we can explore the server side of things... and discuss how Relying Parties and Identity Providers really work. We may even get into some discussion about Longhorn server and some of the interesting bits there that can be leveraged for the new digital identity ecosystem. Until then... enjoy!
April 03, 2007
As more "Web 2.0" applications become popular, we continue to see richer and richer user experiences (UX) that astound us. To make UX snappy UI controls leverage technology like AJAX to offer support for better interactive experiences. We all know and love it. Who DOESN'T? I remember the first time I saw the scrolling on Google Maps. I couldn't believe my eyes.
But that comes at a price. People who listen to me speak know I am NOT a fan of melding data and code together. What you get at the data layer should NOT be what you see at the presentation layer. We see so many attack patterns that leverage this to their advantage. From the WMF vulnerability to origins of Office macro hell (and everythng in between), its just not a good idea to do this.
And Microsoft's Atlas framework is not immune either. Although they HAVE made it more difficult to attack, it is still possible to generate a request from a malicious <script> tag with a HTTP GET request. Actually, I recall a few ASP.NET MVPs suggesting in public newsgroups to use GET for performance gains. There is a trade off in doing that; you expose yourself to these types of attacks.
The Fortify guys do a good job in explaining the problem, and better yet, defining how to SOLVE it. I hope Microsoft looks at this new class of attack and creates a mitigation strategy soonest for the Atlas platform.
Consider my post an early warning to the problem, and an echo of Fortify's research on how to mitigate the risks of this attack. If you are building web applications that use ATLAS, you need to consider this attack vector in your own threat models, and take action to mitigate the problem as you see fit.