Re: Tell me about security/privacy issues with .NET/mono

From: Star Fleet Admiral Q (Star_Fleet_Admiral_Q(NO-SPAM)_at_(FORGET-SPAM)hotmail.com)
Date: 07/01/04 

Date: Wed, 30 Jun 2004 23:06:05 GMT

It boils down to this - MS has confused the issue by using .NET
preface for everything. .NET passport is one thing, .NET framework is
another - both can be used by the other, but the other is not required
for either. .NET passport is used for authentication and
collaboration of data with participating vendors/merchants/etc, while
.NET framework is used as the foundation for another .NET (Visual
Studio .NET) programming suite, base on all languages building
intermediate CLR (Common Language Runtime) object code, which is not
compiled into an executable/binary until first access. Before you
know it, you'll have .NET SQL server, .NET Office Suite and heaven
forbid Windows .NET running .NET antivirus suite. Of course I'm being
cynical, but MS tends to overuse it catch slogans, like "2000" - I
think I've been Windows 2000, Money 2000, Office 2000, FrontPage 2000,
Visio 2000, that 2000, this 2000, other 2000 etc etc etc ;-) if you
catch my drift. I thought they learned their lesson with Windows XP
and Office XP, but guess not. 

-- 
Star Fleet Admiral Q @ your service
--------------------------------------------------------
"LucM" <lucm@iqato.moc> wrote in message
news:yHDEc.156095$rt5.1747436@wagner.videotron.net...
> Star Fleet Admiral Q wrote:
> > You are misinformed -
>
> Well, I am not misinformed - I am misunderstood (by you).
>
>  > .NET applications can use "passport" if the
> > programmer so chooses when he/she creates his/her application, but
in
> > no means is a requirement.
>
> I agree, Passport authentication is not _required_ in .NET
applications.
>
> On the other hand, I don't agree that "passport has nothing to do
with
> .NET" as you stated in your previous post. Your statement was wrong,
> this is why I replied.
>
>  > Matter of factly, you can you "passport"
> > in Visual Studio 6 applications, which pre-dates .NET's existance.
I
>
> I agree, there is a Passport COM object available.
>
> > have written many .NET applications/web page projects and not used
the
> > "passport" API's or plugins (they are not included/activated in
your
> > project by default, and you must write the code to handle the data
> > exchange if selected).
>
> Of course. Passport is one of the four authentication modes for a
> ASP.NET application. The other three are Windows, Forms and None.
>
> Someone can select the "none" mode and write a custom authentication
> process; but from a .NET point of view the authentication mode is
still
> "none". There is no escape from the 4 modes.
>
> As for writing the code, it is also required for the Forms
> authentication, where you must provide a login page and the related
> code. Still, this does not make the Forms authentication a 3rd party
> thing! Same applies for the Passport.
>
> Only the Windows and None mode _can_ be transparent.
>
> > Passport is nothing more than a login which has the ability to
store
> > data on a 3rd party server for quick reference by other 3rd party
web
> > applications, based on that same login, very similar to how Active
> > Directory works within a Win2k or Win2k3 domain.
> >
>
> I guess the issue here is the keyword "Passport" which can be
confusing.
>
> The Passport authentication is a service provided by Microsoft that
can
> be used by a wide range of technologies. In the .NET context, it is
an
> authentication mode.
>
> So I'll insist on this point: as far as .NET is concerned, Passport
is
> not like LDAP, Radius, or any proprietary authentication system. It
is
> not an external, 3rd party authentication process, it is a built-in
> authentication mode.
>
>
> -- 
> LucM
>
> Visit your friends
>  > www.gnu.org
>  > www.greenpeace.org

Relevant Pages

  • [NT] Microsoft Passport to Trouble
    ... Microsoft Passport to Trouble ... Passport accounts currently are actually Hotmail accounts). ... It does not allow for sufficient control over the use of authentication ...
    (Securiteam)
  • Re: Single sign on in ASP.NET
    ... Oh, I forgot to mention, Microsoft has already addressed this issue using the MS Passport. ... "Hans Kesting" wrote: ... >> authentication is Forms Authentication with Active Directory. ... > In an intRAnet situation, where all servers and clients run Windows, ...
    (microsoft.public.dotnet.framework.aspnet)
  • [NEWS] Microsoft Passport Account Hijacking (Hacking Hotmail and more)
    ... Microsoft Passport Account Hijacking ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... measures and extended authentication methods have to be implemented into ... Many Web Mail Applications, such as Hotmail, ...
    (Securiteam)
  • RE: Passport authentication -- how can I debug it?
    ... local Passport auhtentiation server which can accept the login request and ... the passport authentication is also cookie based and ... So it seems that all the work is done by the remote passport server rather ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Tell me about security/privacy issues with .NET/mono
    ... Passport authentication is not _required_ in .NET applications. ... but from a .NET point of view the authentication mode is still ... not an external, 3rd party authentication process, it is a built-in ...
    (comp.os.linux.security)