Jeff Bohren picks up on Axel Nennker's recent post:
Axel Nennker points out that the supposed “Cardspace Hack” is still floating around the old media. He allows the issue is not really a Cardspace security hole, but a problem between the keyboards and seats at Ruhr University Bochum:
A while ago two students, Xuan Chen and Christoph Löhr, from Ruhr University Bochum claimed to have “broken” CardSpace. There were some blog reactions to this claim. The authoritative one of course is from Kim.
Today I browsed through a magazine lying on the desk of a colleague of mine. This magazine with the promising title “IT-Security” repeats the false claim and reports that the students proved that CardSpace has severe security flaws… Well, when you switch off all security mechanism then, yes, there are security flaws (The security researcher in front of the computer).
Sort of what developers like me call an ID10T error.
Update: speaking of ID10T errors, I originally mistyped Axel’s name as Alex. My apologies.
Kim, again I think you understate the current risk of the end system being 0wn3d. Given that millions of system are, it is a very reasonable expectation that those with CardSpace will be. One approach to dealing with that problem would be to demonstrate a CardSpace implementation where the cards are kept on another device that also performs authentication operations. Perhaps I am very ignorant and such an implementation exists?
Yes, this is supported now through the use of smart cards, and we have shown prototypes where the token generation will be done on either mobile phones or “smarter cards” and dongles.
I don't think I underestimate any threat. However, if the PC is owned, then the very content of transactions carried out on it are owned, and safe authentication provides no benefit. For example the German Student attack, even after the user had disabled his certificate checking and configured his DNS store for self-poisoning, did NOT compromise CardSpace at all – rather it employed machine control to use the legitimate token illigitimately.