One way .net Passport authentication is flawed
From: Nick Staff (nstaff_at_ANGELSIN.COM)
Date: 05/05/03
- Previous message: Jason Coombs: "Free IIS Security Forensic Analysis E-Book"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 5 May 2003 08:18:47 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I bet if you asked people why SSL was secure most would say because it encrypts your data before
sending it out on the internet. Encryption has become such a buzz word that even my grandmother
won't type her credit card number unless she sees that yellow lock in the bottom right corner of
her browser window. Funny thing is, if you double click that yellow lock you can view that
site's certificate and the first thing it tells you is: "This certificate is intended for the
following purpose(s): Ensures the identity of a remote computer". Because ultimately Verisign,
Thawte, and the other trusted CA's have made online transactions secure by verifying the identity
of the person/company being sent the information.
IIS 6.0, which ships with Windows 2003 gives you the option of using .net authentication on your
web site. The problem with letting any site use this is that the log on is just a pop-up window and there's currently nothing that tells the user if it's legitimate (like the lock for SSL). There's nothing to stop people from
making fake .net passport authentication pages in order to obtain people's logon credentials. For example, here are 2 links - the first is to a page using real .net authentication and the second is to one that I made with forms and layers. Any differences between the two are from a lack of time spent only.
Real:
http://www.angelsin.com/realpassport.htm
Fake:
http://www.angelsin.com/passport.htm
Before responding and telling me why this isn't a flaw and all the ways one can tell if it's fake
please realize I'm merely posting this as a heads up and am not saying anything other than in
it's current state, some web sites will put up fake passport authentication prompts which enough
people will fall for to make the general public nervous about using their passport log on at non
mainstream sites. (my guess is we'll end up with a little passport icon right next to the yellow
lock in our browser window...?)
Anyway, thanks,
Nick
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by IP3 Inc.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
SECURITY QUESTIONS? We've got answers...Apply for a scholarship and become
TICSA certified.
Do not miss your opportunity to discover solutions to what our participants
have identified as their top 5 IT Security Challenges. You will return to
work better prepared to put into place an effective security strategy
utilizing the latest security tools, bookmarks and URL's.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Jason Coombs: "Free IIS Security Forensic Analysis E-Book"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
