Wednesday, August 16, 2006

Authentication does matter

In "A clafication" Rohan Pinto writes of how his exploit on Kim Cameron's blog was actually an exploit of a bug in Wordpress and not a bug in Cardspace (note that this may be an outright bug in Wordpress, or a bug in how Kim configured Wordpress on his server -- I'm not sure which). Rohan goes on to ask:
However, this still makes me wonder if "authentication" really matters. "infocard" / a.k.a. microsoft cardspace… is all about user control and consent, and enables users to authenticate based who who they claim to be. The issue is that "authentication" helps establish a valid session. Therefore the web application that uses "user controlled" authentication, SHOULD have processes and RULES in place that validates the rights of the user and controls what the user can or cannot do.

Authentication does matter and in the case of infocard, the user does have control and consent where their authentiation/identity data is sent. However, they do not have control yet (and this can't be enforced by any client only solution) about what happens to their data once it gets to the relying party.

Most security folks will tell you that if you can get an account on the system being attacked your more than 70% of the way of being able to successfully hack into the target system. Most web server applications are designed with this in mind and severely restrict what one can do from a user's logged in account.

In this case, Rohan found a hole, but that doesn't mean we should do away with logins, nor does it mean that we should do away with solutions for my current 333 distinct logins or the ease at which the common user is phished (both of which are things that Infocard are trying to solve).

Access Control is always going to be a responsibility of the entity managing the resource (in this case, Kim's blog is managed by a wordpress installation that he setup on his server, so his server must manage the access control). The selection of the tool to manage the rescource will be based upon the reliability of the manager and the value of the resource. I'm sure Kim wouldn't have put his bank account up on wordpress without a lot more testing and perhaps requiring someone else to stand behind it should there be such a problem (and this does explain why banks in many cases were very slow to play on the internet).

What all this really means is that we need to continue to test our solutions and when holes are found, we need to work with the manufacturer of the products to get the holes fixed (preferably before we announce them to the world).

Tags : / / / /

No comments: