Mike Taulty's Blog
Bits and Bytes from Microsoft UK
CardSpace, PPID, Security, Javascript Hijacking

Blogs

Mike Taulty's Blog

Elsewhere

Archives

I was on my way up to Glasgow today to talk at an MSDN event about Framework V3.0 and it meant that I had to dredge my memory a little bit yesterday as to how CardSpace works.

Generally, I'm not bad on this stuff in that I tried to follow the WS-* for quite a while and that meant that CardSpace wasn't too much of a shock but there was one thing that was really nagging me yesterday as I was thinking about CardSpace and it was really the often quoted scenario of using a PPID as a way of authenticating a user.

The thing that I kept scratching my head over was the issue of "What happens if someone steals your PPID (e.g. from a backend store) or just so happens to duplicate it by some other means and creates a fake card with your PPID in it". Essentially, the PPID is just a shared secret and I was really struggling to remember how you were protected from it being leaked.

In truth, you're not really protected from it and so the advice offered here;

http://blogs.msdn.com/vbertocci/archive/2007/01/15/uniqueid-and-ppid.aspx

is good stuff (essentially don't just store the PPID, make a note of the public key as well).

There's also the follow-up post here;

http://www.fearthecowboy.com/2007/01/me-and-my-ppid-can-i-rely-on-it.html

with code that does the "right thing" for you in terms of verifying the signature on the SAML assertion and also check that the public key hasn't changed since the last time that you "saw it".

Sticking with the security theme for a moment, I've been reading the "Javascript Hijacking" article that's been published by Fortify up here;

http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf

this is interesting stuff - I'll admit that I haven't fully digested it at this point but I did find a paragraph in the conclusions section that really resonated for me (quoted below);

"rich web interfaces and mashup concepts themselves have been cobbled together. The Web programming community has stretched the existing technology well past its original purposes, so it is not surprising that we occasionally encounter an unexpected side-effect"...

I'm starting to wonder what all these rich web applications mean for someone who wants to run their browser with Javascript turned off because they're frightened of the next "unexpected side-effect".


Posted Tue, Apr 3 2007 5:51 AM by mtaulty

Comments

Mike Ormond's WebLog wrote On the Subject of Security
on Thu, Apr 5 2007 7:27 AM
I seem to be on a bit of a security journey at the moment after my own tussle with XSS , then watching
Mike Taulty's Blog wrote CardSpace, PPID, Authentication Again
on Tue, Apr 17 2007 6:25 AM
I wrote a little bit about using PPID's to authenticate users here but I noticed that...