As I said in the previous post, the students from Ruhr Universitat who are claiming discovery of security vulnerabilities in CardSpace did NOT “crack” CardSpace.
Instead, they created a demonstration that requires the computer's owner to consciously disable the computer's defenses through complex configurations – following a recipe they published on the web.
The students are not able to undermine the system without active co-operation by its owner.
You might be thinking a user could be tricked into accidently cooperating with the attack.. To explore that idea, I've captured the steps required to enable the attack in this video. I suggest you look at this yourself to judge the students’ claim they have come up with a “practical attack”.
In essence, the video shows that a sophisticated computer owner is able to cause her system to be compromised if she chooses to do so. This is not a “breach”.
I would like to post here a similar comment I posted previously on the related Roger's blog entry titled “The �successful� attack on Cardspace” as Kim's arguments are not much different.
Basically, there are 3 main counter-arguments aiming to make the mentioned attack look harmless:
1. The user is able to prevent this attack due to the deployed warning mechanisms.
2. The required auxiliary attack against DNS entry is not specified.
3. The required auxiliary attack against the Root Certificate Store is not specified.
However:
on 1: Relying on user's ability to protect own system has never been a serious argument in favor of a secure software. Moreover, it is rather the security unawareness of naive users that caused many successful attacks in the past.
on 2 and 3: Although attacks against DNS and Root Certificate Store are needed to breach the security of CardSpace, they are not directly related to the security concept of CardSpace itself.
Discussion:
Sure, Windows Vista is a complex operating system in which each security component is responsible for the prevention of particular threats. Nevertheless, we all know that “a chain is only as strong as its weakest link”, and the demonstrated attack clearly shows that the component CardSpace itself is insecure.
Conclusion and Recommendations:
Hoping that the chain still holds, is probably not the best strategy that should be applied by Microsoft in this case.
Relying on the users ability to give away security related data was and will be always working. the weakest link is the user and Microsoft will never be able protect the user from unsecure the system.