Developer's Gateway: Passport and XML Web Services, Page 2
There is always a trust issue, with the question of how you can be sure that the information is truly secure and not being used by others. If you trust Microsoft with your operating system, why not Passport? The majority of users will already have a trust base with Microsoft, but it is the recent breaches in security that have raised the question of whether Passport data could be vulnerable. While the Passport database continues to grow by providing services to sites such as MSN, Hotmail and eBay, Microsoft will continue to evolve its security practices in order to improve user confidentiality risks.
With the setbacks in light of the recent security flaws, it should come as no surprise that Passport may take even longer to become more popular. The problem of impersonating another user could potentially allow someone to go into Citicards.com, for example, and hack into the records. Because of this security risk, Citicards forces users to provide a second password registered on Citibank's records. At the end this defeats the entire purpose of using and subscribing to Passport. Any security blunder such as this gives the opportunity for other competitors to quickly gain market share.
There is also a risk on the client side of Web services by creating cookies that can be captured and used for identity theft or impersonation. Web services will not create cookies on servers or databases unless they maliciously do so. But the latest security breaches prove that a user who is not logged into Passport is not safe from impersonation.
It only takes an unsecure application and a careless user for someone to be able to capture a user's Passport credentials or impersonate them. For example, someone uses a vulnerable browser (such as all IE browsers prior to 5.5) that exposes the cookies content to hackers over the Web. The problem is not the cookies themselves, but the browser. With past vulnerabilities, hackers did not need to decrypt the Passport token to impersonate a user. They were able to use Passport's cookie and use the token to gain access to the user's information.
Measures Microsoft can take to ensure security
To ensure security, Microsoft needs to manage the issuance of patches to their software as vulnerabilities either are exposed or identified. To alleviate past problems, Microsoft has already taken the Secure Code/Applications initiative, where experts assesses all applications and identify all potential security flaws and risks, mitigate the risks, take proper action and ensure only certified code is issued. This initiative comes from the inside out and will change the way applications are developed and used on the Microsoft platform.
Measures developers can take to add further security
It is very difficult to build a totally secure system, but there are certain variables provided by the browser that can be used to further validate a user and make this type of attack more difficult. There are a couple of features developers can do to ensure further protection to their users, but they will all add extra coding and administration.
- Using the hashed value of the User-Agent header as an additional identity token. To replicate this, the hacker would need to replicate the user's browser; a task that while possible, will definitely add an extra layer of complexity
- Timeout the session in a shorter timeframe, forcing the user to reenter the password upon timeout
- The IP address could be used as a validation point. Certain Web technologies such as Web proxies would need to be considered, but this would add an extra layer of validity to the authentication process
- Users should be required to provide their password when purchasing items.
- Make sure that when the user is leaving a site, all high risk cookies are deleted from the system.
The largest issue ahead in spreading adoption of XML Web services is the education of corporate IT on the business benefits. In the face of recent fears, developers cannot do much to change the impact that the media's scare tactics have on corporate decision-makers. However, Gartner's suggestion of submitting the Passport's source code for open-source review to regain trust would be a solid step in the right direction. An architecture and development team can see and understand the benefits of having all applications distributed and working as Web services on the technical side. For business, the idea of turning information into a service is amazing progress, and the concept of offering an application as a service and charging for the use or consumption is a whole paradigm shift for the software industry.
On the other side, Passport has been available as a Web service for some time, but due to the structure and security concerns of the past, only larger enterprises that had the infrastructure to support and develop applications, such as Citibank (Citicards) and eBay (Citicards.com), really took advantage of it. The support of WS Security should begin to quench the fears that smaller enterprises and developers of business-to-business and business-to-consumer applications face. It will take time for Passport and XML Web services to be fully adopted by the public. In the mean time, developers need to create solutions using both proprietary authentication services and other agents such as Passport. XML Web services will continue to evolve and will eventually offer services never imagined before.
About the Author
Ted Dinsmore -
Ted is president of Conchango New York and founded the practice in 1997. He has since built it into a full consultancy, additionally establishing North-East practices in the Connecticut and Boston markets. He is responsible for sales and business development in the North-East region, with a customer base of American Fortune 500 firms. In addition, he has built up relationships with Microsoft, to provide solutions in the New York and New England marketplace for international clients. Ted has worked with international organizations in both Washington DC and New York, including USA Today and the French government.
# # #