MY FRIEND THE ATTACKER

In my recent post on Hardy Infocard Pioneers, I refered to the fact that the first “attack” had been made on the site. Apparently, I wasn't clear enough about the fact that I saw this as a good thing - something I appreciated. That led to this comment from Rohan.

Hi Kim,

An Attacker. thats a nice title, when the intention was not to “attack” but try to look at infocards from the other side. From another perspective altogether. Everybody seems to just nod heads when workflows and use case examples are explained. I have not seen many who have tried to disagree in the “open”.

Well, I am trying to do just that. Not disagree, but to look at it from another angle, and talk to you about my discoveries.

I’m sure that youd’ acknowledge, that I “did” inform you as soon as I logged into your site with FAKE info. Well, thats not called an “attack”.

As far as the “browsehappy.com” link goes, thats just a joke…

Like you said : All of us will be attacked and all of us have to work hard – and together – to create a safe internet. I AGREE with you. 100%. But lets be open to ideas that may be contradictory to our own….. My efforts are to create a SAFE internet. To point out issues and errors, so that one may work on fixing them.

So let me set the record straight. I think Rohan is making a positive contribution to thinking about InfoCards. I appreciate what he is doing for the very reasons he expresses. And if you go to his site, you'll see how creative he is.

I didn’t mean “attacker” in the “normal” sense of the word – I was talking about THE ATTACKER ROLE we refer to as identity and security people, when we attempt, as he did, to think things through from the viewpoint of an attacker.

I am delighted to have others in the community thinking through the possible attacks with me. More about that in a minute.

In terms of the browsehappy.com thing, it was obvious that Rohan was poking fun – and that's fine. I just appreciated the opportunity to rail, en passant, against a couple of the site's more dubious claims.

This said, I'd like to be very clear about the status of the work I'm doing here to InfoCard-enable my site.

There are two parts to this project.

The first is pretty much complete, and involved developing a way to consume and verify InfoCard SAML tokens using a typical LAMP server without installing binaries.

The second is the part I'm working on now. It involves experimentatng with how to use InfoCards concretely from a web site – in this case my blog. I'm learning as I go. After all, InfoCards are a relatively recent arrival on the scene…

I'll publish various elements of code as it evolves – but I'm writing this stuff personally as an exploration – it isn't a product, doesn't yet have a formal threat analysis, hasn't gone through security reviews, and hasn't even been seen by anyone other than me before appearing here. What you see is what you get.

My thinking is that the security threat model and reviews will be done here as part of the blogoshere process. And no doubt we'll find things to fix, working as a team.

Published by

Kim Cameron

Work on identity.

7 thoughts on “MY FRIEND THE ATTACKER”

  1. Whew !! Thank you so much Kim. for a moment I thought that you felt I was against you. I am not, and i feel so happy that you recognize that. I was unsure of the term “attacker” and immediately posted a comment on your blog post.

    Anyway. I would also like to put on record that your anticipated PHP code release DOES have some “magic” in it. I assume that it's the STS implementation in PHP…. & thats because I realised that just an OBJECT tag and ie7 on winXP does not kick off the Identity Selector. There's more to it.. and i'm still trying to discover what exactly is required………. and i'll blog about it as I roll along.. and periodically shoot you updates on what I've done and also on how I did it…

    I'm currently in the process of converting the C# STS code included with the MSFT Infocard Resource Kit to Java…. it's going very slow right now…. but i'll complete it eventually…

    I see the term “attacker” as a compliment now.
    PS: I am maintaing a seperate blog on my work around infocard at http://blogs.sun.com/infocard and keeping my non infocard blogs on http://blogs.sun.com/rohanpinto

    Kim replies

    Glad to see you happy again Rohan.

    On the PHP code bit, there is no magic in my implementation. Perhaps what you are seeing is caused by the fact that the InfoCard system currently only comes up if you have an https connection going.

    So you need a cert and to get https happening on the page from which you invoke the object tag.

    I hope that by the time we ship this restriction will no longer apply. It isn't absolutely needed from a theoretical point of view – we could be passing the cert info in the OBJECT tag, and this would make deployment a lot easier. But we just aren't there yet.

    I was able to get an SSL cert for just a few bucks.

    Kim

  2. I was aware of the current SSL (certificate) requirement. I tried to use a self signed cert (openssl) and that just didnt work…

    I assuemd that at your end you were using a “relying party” STS implementation in your PHP code…

    I tried the SSL/OBJECT tag / WinXP,WinFX & ie7 on several various platforms…. and invoking the Identity Selector just didnt work.. (i have a lot more to learn)

    (well; when I say various platforms, I mean various OS platforms (with various webserver combinations) running within my “VMware workstation” client.

  3. This is what I have:
    – WinXP, WinFX, IE7
    – HTML page with the OBJECT tag (in fact, I copied the login page of your website)
    – Hosted on a local web server with a self-signed cert.

    When I access the HTML page, it still doesn't invoke the ‘Identity Selector’. Tried quite a few variations, but with no luck.
    Am I missing something very basic here?
    – Ashish.

  4. Hi Ashish,

    Thats what I've been trying to tell Kim. Thanks for reiterating it. Just an OBJECT tag does not kick it.. there's more to it than embedding an object tag.

    Rohan

Comments are closed.