The “successful” attack on Cardspace

I guess you read it as it was pretty wide-spread in the press in the last few days: On the Insecurity of Microsoft's Identity Metasystem CardSpace.

Well, is there any official Microsoft reaction to it? No, not yet and if you look a little bit more in depth into it, I doubt that there will be. Why? Because the whole setup is ridiculous – at least in my opinion. To cut it short: If you ignore all the warnings of the OS and pull down all the protection shields we built into Windows Vista, then it is possible to attack Cardspace. This is true. Is it making me nervous? Not really.

There are mainly two things that you have to do to make the attack successful before you can steal the Cardspace token: Spoof DNS and "compromise" the Root Cetificate Store. Hmm, we all know that attacking a DNS could be possible (even though they do not include it into their presentation) you need the help of the user as well in order to get a certificate in the Trusted Root store or trick a Certificate Provider into issuing a cert to you for a website you do not own. They failed to show in their "proof of concept" how they bring a root cert into the store without having serious support from the user.

Is this a Cardspace vulnerability? I let you decide it.

Kim Cameron posted twice now on this claimed vulnerability:

• Students enlist readers' assistance in CardSpace "breach"
• How to set up your computer so people can attack it

You know that we take vulnerabilities in our software serious. But what these students have done publically now is – with all due respect for their work – irresponsible. It might be cool for them to blame Microsoft and show vulnerabilities in our software – but if you do it, please make sure that you at least make the bar of a vulnerability without needing the in-depth help of the user.

Roger